Employee, Leave and Recruitment Management System – Crew HRM Security & Risk Analysis

wordpress.org/plugins/hr-management

Create career pages for job listings, hiring or recruiting great talent with Crew HRM. It helps manage employee info, leave requests, onboarding

200 active installs v1.2.2 PHP 7.4+ WP 6.3+ Updated Jul 29, 2025
employeehiringjob-listingrecruitment
96
A · Safe
CVEs total2
Unpatched0
Last CVEJun 2, 2026
Safety Verdict

Is Employee, Leave and Recruitment Management System – Crew HRM Safe to Use in 2026?

Generally Safe

Score 96/100

Employee, Leave and Recruitment Management System – Crew HRM has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Jun 2, 2026Updated 11mo ago
Risk Assessment

The "hr-management" plugin v1.2.2 exhibits a generally positive security posture with a low attack surface, primarily due to proper implementation of prepared statements for SQL queries and good output escaping practices. The absence of AJAX handlers and REST API routes without proper checks is also a strength. However, the presence of the `unserialize` function is a significant concern as it can lead to Remote Code Execution if used with untrusted input. While taint analysis shows no unsanitized flows in this specific scan, this function's inherent risk cannot be ignored.

The plugin's vulnerability history reveals a past high-severity vulnerability, specifically related to Deserialization of Untrusted Data. Although this vulnerability is reported as patched, the pattern indicates that this class of vulnerability is a recurring concern for this plugin. The fact that there is a past unpatched vulnerability of high severity, even if now patched, suggests a need for continuous vigilance and thorough code review, particularly around data handling that involves deserialization.

In conclusion, while the plugin demonstrates good security practices in many areas, the use of `unserialize` combined with its past deserialization vulnerability history presents a notable risk that warrants attention. The plugin's strengths lie in its limited attack surface and diligent use of prepared statements and output escaping. Its weaknesses center on the potential for deserialization vulnerabilities.

Key Concerns

  • Use of unserialize function
  • Past high severity CVE (Deserialization)
Vulnerabilities
2 published

Employee, Leave and Recruitment Management System – Crew HRM Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
1

2 total CVEs

CVE-2026-27351medium · 4.3Missing Authorization

Employee, Leave and Recruitment Management System – Crew HRM <= 1.2.2 - Missing Authorization

Jun 2, 2026 Patched in 1.2.3 (7d)
CVE-2024-43252high · 8.1Deserialization of Untrusted Data

Crew HRM <= 1.1.1 - Unauthenticated PHP Object Injection

Aug 12, 2024 Patched in 1.1.2 (11d)
Version History

Employee, Leave and Recruitment Management System – Crew HRM Release Timeline

Code Analysis
Analyzed Mar 16, 2026

Employee, Leave and Recruitment Management System – Crew HRM Code Analysis

Dangerous Functions
1
Raw SQL Queries
22
109 prepared
Unescaped Output
11
44 escaped
Nonce Checks
2
Capability Checks
2
File Operations
5
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

unserialize$unserialized_data = @unserialize( $data, ['allowed_classes' => false] );classes\Helpers\_String.php:206

SQL Query Safety

83% prepared131 total queries

Output Escaping

80% escaped55 total outputs
Attack Surface

Employee, Leave and Recruitment Management System – Crew HRM Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[crewhrm_careers] classes\Setup\Shortcode.php:23
WordPress Hooks 41
actionplugins_loadedaddons\Recaptcha\classes\Main.php:42
filtercrewhrm_controllersaddons\Recaptcha\classes\Setup\Dispatcher.php:23
actionwp_enqueue_scriptsaddons\Recaptcha\classes\Setup\Scripts.php:25
actionadmin_enqueue_scriptsaddons\Recaptcha\classes\Setup\Scripts.php:26
actioncrewhrm_submit_application_beforeaddons\Recaptcha\classes\Setup\Verify.php:22
actioncrewhrm_pro_loadedclasses\Main.php:89
filterupload_dirclasses\Models\FileManager.php:110
filterwp_mail_fromclasses\Models\Mailer.php:104
filterwp_mail_from_nameclasses\Models\Mailer.php:105
filterwp_mail_content_typeclasses\Models\Mailer.php:106
actionadmin_menuclasses\Setup\Addon.php:39
actionadmin_menuclasses\Setup\Admin.php:34
actionadmin_menuclasses\Setup\Admin.php:35
actionadmin_noticesclasses\Setup\Admin.php:37
actionadmin_headclasses\Setup\Admin.php:80
actioninitclasses\Setup\Blocks.php:21
filterquery_varsclasses\Setup\Careers.php:32
actiongenerate_rewrite_rulesclasses\Setup\Careers.php:33
filterthe_contentclasses\Setup\Careers.php:34
filtercrewhrm_save_settingsclasses\Setup\Careers.php:35
actioncrewhrm_clear_incomplete_applicationsclasses\Setup\Careers.php:38
actioninitclasses\Setup\Careers.php:39
actioncrewhrm_activatedclasses\Setup\Careers.php:42
actioncrewhrm_activatedclasses\Setup\Database.php:28
actionadmin_initclasses\Setup\Database.php:29
actionplugins_loadedclasses\Setup\Dispatcher.php:53
actioninitclasses\Setup\Employee.php:28
filterget_avatar_urlclasses\Setup\Employee.php:29
actioninitclasses\Setup\Employee.php:30
actioncrewhrm_job_application_createdclasses\Setup\Mails.php:23
filtercrewhrm_frontend_dataclasses\Setup\Mails.php:26
actionpre_get_postsclasses\Setup\Media.php:24
actionadmin_enqueue_scriptsclasses\Setup\Scripts.php:28
actionwp_enqueue_scriptsclasses\Setup\Scripts.php:29
actionadmin_enqueue_scriptsclasses\Setup\Scripts.php:32
actionwp_enqueue_scriptsclasses\Setup\Scripts.php:33
actionwp_headclasses\Setup\Scripts.php:36
actionadmin_headclasses\Setup\Scripts.php:37
actioninitclasses\Setup\Scripts.php:40
actionactivated_pluginclasses\Setup\Welcome.php:31
actioninitclasses\Setup\Welcome.php:32

Scheduled Events 1

crewhrm_clear_incomplete_applications
Maintenance & Trust

Employee, Leave and Recruitment Management System – Crew HRM Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJul 29, 2025
PHP min version7.4
Downloads8K

Community Trust

Rating100/100
Number of ratings9
Active installs200
Developer Profile

Employee, Leave and Recruitment Management System – Crew HRM Developer Profile

Crew HRM

1 plugin · 200 total installs

91
trust score
Avg Security Score
96/100
Avg Patch Time
9 days
View full developer profile
Detection Fingerprints

How We Detect Employee, Leave and Recruitment Management System – Crew HRM

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/hr-management/dist/hrm.js/wp-content/plugins/hr-management/dist/settings.js/wp-content/plugins/hr-management/dist/addons-page.js/wp-content/plugins/hr-management/dist/careers.js/wp-content/plugins/hr-management/dist/blocks-viewer.js/wp-content/plugins/hr-management/dist/libraries/translation-loader.js/wp-content/plugins/hr-management/dist/application-page.js/wp-content/plugins/hr-management/dist/settings-page.js
Script Paths
/wp-content/plugins/hr-management/dist/hrm.js/wp-content/plugins/hr-management/dist/settings.js/wp-content/plugins/hr-management/dist/addons-page.js/wp-content/plugins/hr-management/dist/careers.js/wp-content/plugins/hr-management/dist/blocks-viewer.js/wp-content/plugins/hr-management/dist/libraries/translation-loader.js+2 more
Version Parameters
hr-management?ver=hr-management-recapcha-careers?ver=hr-management-recaptcha-settings?ver=hr-management-hrm?ver=hr-management-settings?ver=hr-management-addons-script?ver=hr-management-careers?ver=hr-management-blocks-viewer?ver=hr-management-translations?ver=

HTML / DOM Fingerprints

CSS Classes
crewhrm_containercrewhrm-titlecrewhrm-sub-titlecrewhrm-btncrewhrm-btn-primarycrewhrm-btn-secondarycrewhrm-btn-transparentcrewhrm-form-control+6 more
HTML Comments
<!-- Plugin Name: Crew HRM --><!-- Plugin URI: https://getcrewhrm.com/pricing/ --><!-- Description: Post jobs on your site and hire talent - all inside your website for free! --><!-- Author: Crew HRM -->+20 more
Data Attributes
data-cylector="root"
JS Globals
CrewHRM
REST Endpoints
/wp-json/crewhrm/v1/wp-json/crewhrm/v1/jobs/wp-json/crewhrm/v1/departments/wp-json/crewhrm/v1/settings
Shortcode Output
[crewhrm_jobs][crewhrm_careers_form][crewhrm_dashboard]
FAQ

Frequently Asked Questions about Employee, Leave and Recruitment Management System – Crew HRM