WP-Safety

HR Management Lite Security & Risk Analysis

wordpress.org/plugins/hr-management-lite

HR Plugin for WordPress to Manage the HR works and the Projects.

300 active installs v3.6 PHP + WP + Updated Feb 23, 2026
attendancehr-managementleave-managementproject-managementshift-management
56
C · Use Caution
CVEs total2
Unpatched2
Last CVEDec 28, 2025
Plugin page Download
Safety Verdict

Is HR Management Lite Safe to Use in 2026?

Use With Caution

Score 56/100

HR Management Lite has 2 unpatched vulnerabilities. Evaluate alternatives or apply available mitigations.

2 known CVEs 2 unpatched Last CVE: Dec 28, 2025Updated 2mo ago
Risk Assessment

The hr-management-lite plugin version 3.6 presents a significant security risk due to its large unprotected attack surface and a history of medium-severity vulnerabilities. While the code analysis shows a high percentage of properly escaped output and no critical or high severity taint flows, the presence of 117 AJAX handlers without authentication checks is a major concern. This creates a wide entry point for attackers to potentially exploit other weaknesses within the plugin. The plugin also utilizes the dangerous `unserialize` function 40 times, which, when combined with unauthenticated AJAX endpoints, could lead to remote code execution vulnerabilities if attacker-controlled data is passed to it. The vulnerability history, with two unpatched medium severity CVEs related to missing authorization and CSRF, reinforces the concern about improper access control and attack vectors. Although the plugin has some strengths in output escaping and a small number of SQL queries, the lack of robust authorization on numerous entry points and the unpatched vulnerabilities outweigh these positive aspects, demanding immediate attention.

Key Concerns

  • Large attack surface without auth checks
  • Dangerous function unserialize used frequently
  • 2 unpatched CVEs (medium severity)
  • Vulnerability history indicates missing auth/CSRF
  • SQL queries not using prepared statements
  • Bundled outdated library (DataTables v1.10.22)
Vulnerabilities
2 published

HR Management Lite Security Vulnerabilities

CVEs by Year

2 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-69022medium · 4.3Missing Authorization

HR Management Lite <= 3.5 - Missing Authorization

Dec 28, 2025Unpatched
CVE-2025-29005medium · 4.3Cross-Site Request Forgery (CSRF)

HR Management Lite <= 3.3 - Cross-Site Request Forgery

Jun 5, 2025Unpatched
Version History

HR Management Lite Release Timeline

v3.6Current2 CVEs
CVE-2025-29005 CVE-2025-69022
v3.52 CVEs
CVE-2025-29005 CVE-2025-69022
v3.42 CVEs
CVE-2025-29005 CVE-2025-69022
v3.32 CVEs
CVE-2025-29005 CVE-2025-69022
v3.22 CVEs
CVE-2025-29005 CVE-2025-69022
v3.12 CVEs
CVE-2025-29005 CVE-2025-69022
v3.02 CVEs
CVE-2025-29005 CVE-2025-69022
v2.92 CVEs
CVE-2025-29005 CVE-2025-69022
v2.82 CVEs
CVE-2025-29005 CVE-2025-69022
v2.72 CVEs
CVE-2025-29005 CVE-2025-69022
v2.62 CVEs
CVE-2025-29005 CVE-2025-69022
v2.52 CVEs
CVE-2025-29005 CVE-2025-69022
v2.42 CVEs
CVE-2025-29005 CVE-2025-69022
v2.32 CVEs
CVE-2025-29005 CVE-2025-69022
v2.22 CVEs
CVE-2025-29005 CVE-2025-69022
v2.12 CVEs
CVE-2025-29005 CVE-2025-69022
v2.02 CVEs
CVE-2025-29005 CVE-2025-69022
v1.92 CVEs
CVE-2025-29005 CVE-2025-69022
v1.82 CVEs
CVE-2025-29005 CVE-2025-69022
v1.72 CVEs
CVE-2025-29005 CVE-2025-69022
Code Analysis
Analyzed Mar 16, 2026

HR Management Lite Code Analysis

Dangerous Functions
40
Raw SQL Queries
2
0 prepared
Unescaped Output
22
1716 escaped
Nonce Checks
61
Capability Checks
3
File Operations
0
External Requests
1
Bundled Libraries
1

Dangerous Functions Found

unserialize$user_roles = unserialize( $save_settings['user_roles'] );admin\admin-setup-wizard.php:656
unserialize$members = unserialize( $project['members'] );admin\inc\administrator\wl_hrm-lite_project.php:49
unserialize$leave_name = unserialize( $staff['leave_name'] );admin\inc\administrator\wl_hrm-lite_staff.php:53
unserialize$leave_value = unserialize( $staff['leave_value'] );admin\inc\administrator\wl_hrm-lite_staff.php:54
unserialize$members = unserialize( $project['members'] );admin\inc\controllers\wl-hrm-lite-projects-actions.php:60
unserialize'members' => unserialize( $projects[$key]['members'] ),admin\inc\controllers\wl-hrm-lite-projects-actions.php:143
unserialize$members = unserialize( $project['members'] );admin\inc\controllers\wl-hrm-lite-projects-actions.php:182
unserialize$members = unserialize( $project['members'] );admin\inc\controllers\wl-hrm-lite-projects-actions.php:268
unserializeforeach ( unserialize( $task_value['assign'] ) as $member_key => $value ) {admin\inc\controllers\wl-hrm-lite-projects-actions.php:368
unserializeforeach ( unserialize( $projects[$key]['members'] ) as $key => $value ) {admin\inc\controllers\wl-hrm-lite-projects-actions.php:400
unserializeforeach ( unserialize( $task_value['assign'] ) as $member_key => $value ) {admin\inc\controllers\wl-hrm-lite-projects-actions.php:480
unserialize'assign' => unserialize( $projects[$project_key]['tasks'][$task_key]['assign'] ),admin\inc\controllers\wl-hrm-lite-projects-actions.php:552
unserializeforeach ( unserialize( $projects[$project_key]['members'] ) as $key => $value ) {admin\inc\controllers\wl-hrm-lite-projects-actions.php:560
unserializeforeach ( unserialize( $task_value['assign'] ) as $member_key => $value ) {admin\inc\controllers\wl-hrm-lite-projects-actions.php:637
unserializeforeach ( unserialize( $task_value['assign'] ) as $member_key => $value ) {admin\inc\controllers\wl-hrm-lite-projects-actions.php:733
unserializeforeach ( unserialize( $projects[$project_key]['tasks'][$task_key]['assign'] ) as $member_key => $vaadmin\inc\controllers\wl-hrm-lite-projects-actions.php:795
unserialize$media = unserialize( $value['media'] );admin\inc\controllers\wl-hrm-lite-projects-actions.php:902
unserialize$media = unserialize( $value['media'] );admin\inc\controllers\wl-hrm-lite-projects-actions.php:1038
unserialize'media' => unserialize( $projects[$proj_key]['tasks'][$task_key]['comments'][$comment_key]['media'admin\inc\controllers\wl-hrm-lite-projects-actions.php:1089
unserialize$media = unserialize( $value['media'] );admin\inc\controllers\wl-hrm-lite-projects-actions.php:1192
unserialize$media = unserialize( $value['media'] );admin\inc\controllers\wl-hrm-lite-projects-actions.php:1310
unserialize$all_leaves = unserialize( $staffs['leave_value'] );admin\inc\controllers\wl-hrm-lite-reports-actions.php:180
unserialize$leave_name = unserialize( $staff['leave_name'] );admin\inc\controllers\wl-hrm-lite-staff-actions.php:110
unserialize$leave_value = unserialize( $staff['leave_value'] );admin\inc\controllers\wl-hrm-lite-staff-actions.php:111
unserialize$names = json_encode( unserialize( $staffs[$key]['leave_name'] ) );admin\inc\controllers\wl-hrm-lite-staff-actions.php:199
unserialize$values = json_encode( unserialize( $staffs[$key]['leave_value'] ) );admin\inc\controllers\wl-hrm-lite-staff-actions.php:200
unserialize$leave_name = unserialize( $staff['leave_name'] );admin\inc\controllers\wl-hrm-lite-staff-actions.php:286
unserialize$leave_value = unserialize( $staff['leave_value'] );admin\inc\controllers\wl-hrm-lite-staff-actions.php:287
unserialize$leave_name = unserialize( $staff['leave_name'] );admin\inc\controllers\wl-hrm-lite-staff-actions.php:381
unserialize$leave_value = unserialize( $staff['leave_value'] );admin\inc\controllers\wl-hrm-lite-staff-actions.php:382
unserialize$request = unserialize( $request['body'] );admin\inc\helpers\wl-hrm-lite-helper.php:646
unserialize$locations = unserialize( $staff['locations'] );admin\inc\helpers\wl-hrm-lite-helper.php:1095
unserialize$all_leaves = unserialize( $staffs['leave_value'] );admin\inc\helpers\wl-hrm-lite-helper.php:1540
unserialize$all_leaves = unserialize( $staffs['leave_value'] );admin\inc\helpers\wl-hrm-lite-helper.php:1671
unserialize$assign = unserialize( $task_value['assign'] );admin\inc\helpers\wl-hrm-lite-helper.php:2253
unserialize$members = unserialize( $projects[$project_id]['members'] );admin\inc\helpers\wl-hrm-lite-helper.php:2294
unserialize$members = unserialize( $projects[$project_id]['tasks'][$task_id]['assign'] );admin\inc\helpers\wl-hrm-lite-helper.php:2414
unserialize$members = unserialize( $project['members'] );admin\inc\subscriber\wl_hrm_lite_staff_projects.php:41
unserialize$user_roles = unserialize( $save_settings['user_roles'] );admin\inc\wl_hrm-lite_settings.php:439
unserialize$user_roles = unserialize($save_settings['user_roles']);admin\WL_HRML_MENU.php:123

Bundled Libraries

DataTables1.10.22

SQL Query Safety

0% prepared2 total queries

Output Escaping

99% escaped1738 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

4 flows
save_email_template_data (admin\inc\controllers\wl-hrm-lite-notification-actions.php:85)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
117 unprotected

HR Management Lite Attack Surface

Entry Points118
Unprotected117

AJAX Handlers 117

authwp_ajax_wl-hrm-lite-settingsadmin\admin.php:48
noprivwp_ajax_hrm_add_designation_actionadmin\admin.php:53
authwp_ajax_hrm_add_designation_actionadmin\admin.php:54
noprivwp_ajax_hrm_edit_designation_actionadmin\admin.php:57
authwp_ajax_hrm_edit_designation_actionadmin\admin.php:58
noprivwp_ajax_hrm_update_designation_actionadmin\admin.php:61
authwp_ajax_hrm_update_designation_actionadmin\admin.php:62
noprivwp_ajax_hrm_delete_designation_actionadmin\admin.php:65
authwp_ajax_hrm_delete_designation_actionadmin\admin.php:66
noprivwp_ajax_hrm_add_shift_actionadmin\admin.php:71
authwp_ajax_hrm_add_shift_actionadmin\admin.php:72
noprivwp_ajax_hrm_edit_shift_actionadmin\admin.php:75
authwp_ajax_hrm_edit_shift_actionadmin\admin.php:76
noprivwp_ajax_hrm_update_shift_actionadmin\admin.php:79
authwp_ajax_hrm_update_shift_actionadmin\admin.php:80
noprivwp_ajax_hrm_delete_shift_actionadmin\admin.php:83
authwp_ajax_hrm_delete_shift_actionadmin\admin.php:84
noprivwp_ajax_hrm_add_event_actionadmin\admin.php:89
authwp_ajax_hrm_add_event_actionadmin\admin.php:90
noprivwp_ajax_hrm_edit_event_actionadmin\admin.php:93
authwp_ajax_hrm_edit_event_actionadmin\admin.php:94
noprivwp_ajax_hrm_update_event_actionadmin\admin.php:97
authwp_ajax_hrm_update_event_actionadmin\admin.php:98
noprivwp_ajax_hrm_delete_event_actionadmin\admin.php:101
authwp_ajax_hrm_delete_event_actionadmin\admin.php:102
noprivwp_ajax_hrm_add_notice_actionadmin\admin.php:107
authwp_ajax_hrm_add_notice_actionadmin\admin.php:108
authwp_ajax_noprivhrm_edit_notice_actionadmin\admin.php:111
authwp_ajax_hrm_edit_notice_actionadmin\admin.php:112
noprivwp_ajax_hrm_update_notice_actionadmin\admin.php:115
authwp_ajax_hrm_update_notice_actionadmin\admin.php:116
noprivwp_ajax_hrm_delete_notice_actionadmin\admin.php:119
authwp_ajax_hrm_delete_notice_actionadmin\admin.php:120
noprivwp_ajax_hrm_add_holiday_actionadmin\admin.php:125
authwp_ajax_hrm_add_holiday_actionadmin\admin.php:126
noprivwp_ajax_hrm_edit_holiday_actionadmin\admin.php:129
authwp_ajax_hrm_edit_holiday_actionadmin\admin.php:130
noprivwp_ajax_hrm_update_holiday_actionadmin\admin.php:133
authwp_ajax_hrm_update_holiday_actionadmin\admin.php:134
noprivwp_ajax_hrm_delete_holiday_actionadmin\admin.php:137
authwp_ajax_hrm_delete_holiday_actionadmin\admin.php:138
noprivwp_ajax_hrm_fetch_staff_actionadmin\admin.php:143
authwp_ajax_hrm_fetch_staff_actionadmin\admin.php:144
noprivwp_ajax_hrm_add_staff_actionadmin\admin.php:147
authwp_ajax_hrm_add_staff_actionadmin\admin.php:148
noprivwp_ajax_hrm_edit_staff_actionadmin\admin.php:151
authwp_ajax_hrm_edit_staff_actionadmin\admin.php:152
noprivwp_ajax_hrm_update_staff_actionadmin\admin.php:155
authwp_ajax_hrm_update_staff_actionadmin\admin.php:156
noprivwp_ajax_hrm_delete_staff_actionadmin\admin.php:159
authwp_ajax_hrm_delete_staff_actionadmin\admin.php:160
noprivwp_ajax_hrm_login_dash_actionadmin\admin.php:165
authwp_ajax_hrm_login_dash_actionadmin\admin.php:166
noprivwp_ajax_hrm_add_project_ajaxadmin\admin.php:171
authwp_ajax_hrm_add_project_ajaxadmin\admin.php:172
noprivwp_ajax_hrm_edit_project_ajaxadmin\admin.php:175
authwp_ajax_hrm_edit_project_ajaxadmin\admin.php:176
noprivwp_ajax_hrm_update_project_ajaxadmin\admin.php:179
authwp_ajax_hrm_update_project_ajaxadmin\admin.php:180
noprivwp_ajax_hrm_delete_project_ajaxadmin\admin.php:183
authwp_ajax_hrm_delete_project_ajaxadmin\admin.php:184
noprivwp_ajax_hrm_view_all_tasks_ajaxadmin\admin.php:187
authwp_ajax_hrm_view_all_tasks_ajaxadmin\admin.php:188
noprivwp_ajax_hrm_add_task_ajaxadmin\admin.php:191
authwp_ajax_hrm_add_task_ajaxadmin\admin.php:192
noprivwp_ajax_hrm_edit_task_ajaxadmin\admin.php:195
authwp_ajax_hrm_edit_task_ajaxadmin\admin.php:196
noprivwp_ajax_hrm_update_task_ajaxadmin\admin.php:199
authwp_ajax_hrm_update_task_ajaxadmin\admin.php:200
noprivwp_ajax_hrm_delete_task_ajaxadmin\admin.php:203
authwp_ajax_hrm_delete_task_ajaxadmin\admin.php:204
noprivwp_ajax_hrm_view_task_ajaxadmin\admin.php:207
authwp_ajax_hrm_view_task_ajaxadmin\admin.php:208
noprivwp_ajax_hrm_add_comment_ajaxadmin\admin.php:211
authwp_ajax_hrm_add_comment_ajaxadmin\admin.php:212
noprivwp_ajax_hrm_edit_comment_ajaxadmin\admin.php:215
authwp_ajax_hrm_edit_comment_ajaxadmin\admin.php:216
noprivwp_ajax_hrm_update_comment_ajaxadmin\admin.php:219
authwp_ajax_hrm_update_comment_ajaxadmin\admin.php:220
noprivwp_ajax_hrm_delete_comment_ajaxadmin\admin.php:223
authwp_ajax_hrm_delete_comment_ajaxadmin\admin.php:224
noprivwp_ajax_hrm_email_options_ajaxadmin\admin.php:229
authwp_ajax_hrm_email_options_ajaxadmin\admin.php:230
noprivwp_ajax_hrm_email_options_dataadmin\admin.php:233
authwp_ajax_hrm_email_options_dataadmin\admin.php:234
noprivwp_ajax_hrm_save_email_options_ajaxadmin\admin.php:237
authwp_ajax_hrm_save_email_options_ajaxadmin\admin.php:238
noprivwp_ajax_hrm_get_reports_actionadmin\admin.php:243
authwp_ajax_hrm_get_reports_actionadmin\admin.php:244
noprivwp_ajax_hrm_show_salary_actionadmin\admin.php:247
authwp_ajax_hrm_show_salary_actionadmin\admin.php:248
noprivwp_ajax_hrm_edit_report_actionadmin\admin.php:251
authwp_ajax_hrm_edit_report_actionadmin\admin.php:252
noprivwp_ajax_hrm_update_report_actionadmin\admin.php:255
authwp_ajax_hrm_update_report_actionadmin\admin.php:256
noprivwp_ajax_hrm_login_dash_actionadmin\admin.php:264
authwp_ajax_hrm_login_dash_actionadmin\admin.php:265
noprivwp_ajax_hrm_clock_actionadmin\admin.php:270
authwp_ajax_hrm_clock_actionadmin\admin.php:271
noprivwp_ajax_hrm_late_reson_actionadmin\admin.php:274
authwp_ajax_hrm_late_reson_actionadmin\admin.php:275
noprivwp_ajax_hrm_daily_report_actionadmin\admin.php:278
authwp_ajax_hrm_daily_report_actionadmin\admin.php:279
noprivwp_ajax_hrm_add_req_actionadmin\admin.php:284
authwp_ajax_hrm_add_req_actionadmin\admin.php:285
noprivwp_ajax_hrm_edit_req_actionadmin\admin.php:288
authwp_ajax_hrm_edit_req_actionadmin\admin.php:289
noprivwp_ajax_hrm_update_req_actionadmin\admin.php:292
authwp_ajax_hrm_update_req_actionadmin\admin.php:293
noprivwp_ajax_hrm_delete_req_actionadmin\admin.php:296
authwp_ajax_hrm_delete_req_actionadmin\admin.php:297
noprivwp_ajax_hrm_front_clock_actionpublic\public.php:20
authwp_ajax_hrm_front_clock_actionpublic\public.php:21
noprivwp_ajax_hrm_front_late_reson_actionpublic\public.php:24
authwp_ajax_hrm_front_late_reson_actionpublic\public.php:25
noprivwp_ajax_hrm_front_daily_report_actionpublic\public.php:28
authwp_ajax_hrm_front_daily_report_actionpublic\public.php:29

Shortcodes 1

[WL_EHRM_LOGIN_FORM] public\public.php:15
WordPress Hooks 16
actionadmin_menuadmin\admin-setup-wizard.php:47
actionadmin_initadmin\admin-setup-wizard.php:48
actionhrm_lite__setup_setup_footeradmin\admin-setup-wizard.php:49
actionadmin_menuadmin\admin.php:45
actionadmin_initadmin\admin.php:259
actionadmin_enqueue_scriptsadmin\admin.php:302
actionwp_dashboard_setupadmin\admin.php:310
actionadmin_enqueue_scriptsadmin\admin.php:311
actionhrm_lite_extension_activationhr-management-lite.php:66
actioninithr-management-lite.php:67
actionpre_get_postshr-management-lite.php:68
actionhrm_lite_default_emails_activationhr-management-lite.php:69
actionadmin_inithr-management-lite.php:71
filterlogin_redirecthr-management-lite.php:98
actionplugins_loadedpublic\public.php:9
actionwp_enqueue_scriptspublic\public.php:12
Maintenance & Trust

HR Management Lite Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 23, 2026
PHP min version
Downloads18K

Community Trust

Rating70/100
Number of ratings2
Active installs300
Alternatives

HR Management Lite Alternatives

Clockinator Lite

Clockinator Lite

clockify-lite

B
79

Clockinator Lite is a powerful and easy-to-use employee and attendance management plugin for WordPress.

100 1 unpatched
Clock In Portal- Staff & Attendance Management

Clock In Portal- Staff & Attendance Management

clock-in-portal

D
48

Track the attendance of all registered employees with clock in or out system

300 3 unpatched
FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration

FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration

fluent-boards

A
92

The Simplest Project & Task Management Plugin Specifically Crafted for Agencies, Freelancers & Founders.

6K 3 CVEs
Project Manager – AI Powered Project Management, Task Management, Kanban Board & Time Tracker

Project Manager – AI Powered Project Management, Task Management, Kanban Board & Time Tracker

wedevs-project-manager

A
88

Ease Project Management and Task Management using a powerful project manager with Kanban board, Gantt chart, milestone tracking & project reporting.

6K 21 CVEs
School Management System – WPSchoolPress

School Management System – WPSchoolPress

wpschoolpress

C
60

An extensive plugin for school management with features like attendance, class management, time table, exams, grades, student-teacher-parent notificat &hellip;

2K 1 unpatched
Developer Profile

HR Management Lite Developer Profile

Weblizar - WordPress Themes & Plugin

26 plugins · 56K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
952 days
View full developer profile
Detection Fingerprints

How We Detect HR Management Lite

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/hr-management-lite/public/css/bootstrap.min.css/wp-content/plugins/hr-management-lite/assets/css/bootstrap-timepicker.css/wp-content/plugins/hr-management-lite/assets/css/font-awesome.min.css/wp-content/plugins/hr-management-lite/admin/css/admin-setup-wizard.css/wp-content/plugins/hr-management-lite/assets/js/popper.min.js/wp-content/plugins/hr-management-lite/assets/js/bootstrap.min.js/wp-content/plugins/hr-management-lite/assets/js/bootstrap-timepicker.js/wp-content/plugins/hr-management-lite/admin/js/admin-setup.js
Script Paths
/wp-content/plugins/hr-management-lite/assets/js/popper.min.js/wp-content/plugins/hr-management-lite/assets/js/bootstrap.min.js/wp-content/plugins/hr-management-lite/assets/js/bootstrap-timepicker.js/wp-content/plugins/hr-management-lite/admin/js/admin-setup.js
Version Parameters
hr-management-lite/style.css?ver=hr-management-lite/public/css/bootstrap.min.css?ver=hr-management-lite/assets/css/bootstrap-timepicker.css?ver=hr-management-lite/assets/css/font-awesome.min.css?ver=hr-management-lite/admin/css/admin-setup-wizard.css?ver=hr-management-lite/assets/js/popper.min.js?ver=hr-management-lite/assets/js/bootstrap.min.js?ver=hr-management-lite/assets/js/bootstrap-timepicker.js?ver=hr-management-lite/admin/js/admin-setup.js?ver=

HTML / DOM Fingerprints

CSS Classes
hrm-lite-setup-wizard-container
HTML Comments
<!-- Setup Wizard Class --><!-- Setup Wizard Steps --><!-- Setup Wizard Footer -->
Data Attributes
data-wizard-url
JS Globals
hrm_lite_staff_login_redirect
FAQ

Frequently Asked Questions about HR Management Lite