CVE-2025-5956

Name of the Vulnerable Software and Affected Versions: WP Human Resource Management plugin for WordPress versions 2.0.0 through 2.2.17

Description: The issue arises from a missing authorization within the ajax delete employee() function, allowing authenticated attackers with Employee-level access and above to delete arbitrary accounts, including administrators. This is possible because the plugin's deletion handler reads the client-supplied $ POST['delete'] array and passes each ID directly to wp delete user() without verifying the caller's delete users capability or limiting which user IDs may be removed.

Recommendations: For WP Human Resource Management plugin for WordPress versions 2.0.0 through 2.2.17, consider disabling the ajax delete employee() function until a patch is available to prevent arbitrary user deletion. Restrict access to the deletion handler to minimize the risk of exploitation. Avoid using the $ POST['delete'] array in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.