CVE-2020-36735

Name of the Vulnerable Software and Affected Versions WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress versions up to, and including, 1.6.3

Description The issue is due to missing or incorrect nonce validation on the (handle leave calendar filter), (add enable disable option save), (leave policies), (process bulk action), and (process crm contact) functions. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

Recommendations For versions up to, and including, 1.6.3, update to a version that includes the fix for the nonce validation issue. As a temporary workaround, consider restricting access to the (handle leave calendar filter), (add enable disable option save), (leave policies), (process bulk action), and (process crm contact) functions until a patch is available.