Authorization Bypass in Crew HRM Plugin for WordPress
CVE-2026-9237
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 July 2026
What is CVE-2026-9237?
The Crew HRM plugin for WordPress contains an authorization bypass vulnerability affecting all versions up to and including 1.2.2. This issue stems from the plugin's failure to adequately verify user permissions, enabling authenticated attackers with subscriber-level access to execute unauthorized actions. Specifically, these attackers can delete, archive, unarchive, or duplicate job listings alongside their associated metadata and applications by leveraging an arbitrary job_id. Additionally, the nonce used for verification in the Dispatcher::dispatch() method is accessible to all authenticated front-end visitors, allowing them to easily bypass nonce checks without elevated privileges, leading to potential exploitation of the system.
Affected Version(s)
Employee, Leave and Recruitment Management System β Crew HRM 0 <= 1.2.2