WP-Safety

WP-HR Manager: The Human Resources Plugin for WordPress Security & Risk Analysis

wordpress.org/plugins/wp-hr-manager

Easily add a powerful HR / human resource management system and employee self service (ESS) portal to your website. = Credits = This plugin uses [WP E …

300 active installs v3.2.0 PHP + WP 5.0+ Updated Mar 27, 2025
attendance-managementhrhuman-resourcesleaverecruitment
91
A · Safe
CVEs total1
Unpatched0
Last CVEJan 16, 2025
Plugin page Download
Safety Verdict

Is WP-HR Manager: The Human Resources Plugin for WordPress Safe to Use in 2026?

Generally Safe

Score 91/100

WP-HR Manager: The Human Resources Plugin for WordPress has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jan 16, 2025Updated 1yr ago
Risk Assessment

The wp-hr-manager v3.2.0 plugin exhibits a mixed security posture. While it demonstrates good practices with a high percentage of properly escaped output and a substantial number of capability checks, several areas raise concerns. The presence of the `unserialize` dangerous function, even without explicit taint analysis findings of critical severity, presents a potential risk of deserialization vulnerabilities if user-controlled input is processed by it. The taint analysis revealed a significant number of flows with unsanitized paths, including 7 high severity flows, indicating that user input may not be adequately validated or sanitized before being used in sensitive operations. This, coupled with 53% of SQL queries not using prepared statements, increases the risk of SQL injection vulnerabilities.

The plugin's vulnerability history shows a single medium-severity CVE for Cross-site Scripting, which is now patched. While the absence of currently unpatched vulnerabilities is positive, the previous XSS vulnerability suggests that input sanitization might not always be robust. The lack of reported critical or high severity vulnerabilities in the history, contrasting with the high severity taint flows, warrants further investigation into the actual exploitability of these taint flows. Overall, the plugin has strengths in its output escaping and capability checks but weaknesses in handling user input via taint flows and the use of raw SQL queries, alongside the inherent risk of the `unserialize` function.

Key Concerns

  • High severity taint flows detected
  • SQL queries not using prepared statements
  • Presence of unserialize dangerous function
  • Flows with unsanitized paths detected
  • Bundled library (Freemius v1.0) may be outdated
Vulnerabilities
1

WP-HR Manager: The Human Resources Plugin for WordPress Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-23843medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-HR Manager: The Human Resources Plugin for WordPress <= 3.1.0 - Reflected Cross-Site Scripting

Jan 16, 2025 Patched in 3.2.0 (85d)
Code Analysis
Analyzed Mar 16, 2026

WP-HR Manager: The Human Resources Plugin for WordPress Code Analysis

Dangerous Functions
8
Raw SQL Queries
91
101 prepared
Unescaped Output
482
1854 escaped
Nonce Checks
26
Capability Checks
247
File Operations
41
External Requests
1
Bundled Libraries
3

Dangerous Functions Found

unserialize$additional = unserialize($row->additional);modules\hrm\views\employee\tab-job.php:113
unserialize$additional = unserialize($row->additional);modules\hrm\views\employee\tab-job.php:220
unserialize$additional = unserialize($row->additional);modules\hrm\views\employee\tab-job.php:321
unserialize$additional = unserialize($note->additional);modules\hrm\views\employee\tab-notes.php:83
unserialize$additional = unserialize($row->additional);modules\hrm\views\employee\tab-performance.php:115
unserialize$additional = unserialize($row->additional);modules\hrm\views\employee\tab-performance.php:218
unserialize$additional = unserialize($row->additional);modules\hrm\views\employee\tab-performance.php:320
unserialize$additional = unserialize( get_user_meta( $employee->id, 'additional', true ));modules\hrm\views\employee\tab-permission.php:123

Bundled Libraries

jQuerySelect2Freemius1.0

SQL Query Safety

53% prepared192 total queries

Output Escaping

79% escaped2336 total outputs
Data Flows
17 unsanitized

Data Flow Analysis

25 flows17 with unsanitized paths
perform_updates (includes\class-updates.php:126)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP-HR Manager: The Human Resources Plugin for WordPress Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 82
filterlogin_redirectincludes\actions-filters.php:6
actioninitincludes\actions-filters.php:7
actionadmin_initincludes\actions-filters.php:8
actionadmin_footerincludes\actions-filters.php:9
actionadmin_initincludes\actions-filters.php:10
actionadmin_footerincludes\actions-filters.php:11
actionadmin_noticesincludes\actions-filters.php:12
actionadmin_initincludes\actions-filters.php:13
filtermap_meta_capincludes\actions-filters.php:17
filtercron_schedulesincludes\actions-filters.php:18
filterajax_query_attachments_argsincludes\actions-filters.php:19
filterthe_titleincludes\actions-filters.php:20
filterpre_wp_nav_menuincludes\actions-filters.php:21
filterwp_nav_menuincludes\actions-filters.php:22
actionadmin_footerincludes\admin\class-admin.php:22
actionadmin_menuincludes\admin\class-setup-wizard.php:33
actionadmin_initincludes\admin\class-setup-wizard.php:34
actionedit_user_profileincludes\admin\class-user-profile.php:35
actionshow_user_profileincludes\admin\class-user-profile.php:36
actionprofile_updateincludes\admin\class-user-profile.php:37
actionrest_api_initincludes\api\class-api-registrar.php:17
actionwphr_email_headerincludes\class-emailer.php:30
actionwphr_email_footerincludes\class-emailer.php:31
actionwphr_admin_field_notification_emailsincludes\framework\settings\email.php:17
actionwphr_admin_field_smtp_test_connectionincludes\framework\settings\email.php:18
actionwphr_admin_field_imap_test_connectionincludes\framework\settings\email.php:19
actionwphr_admin_field_imap_statusincludes\framework\settings\email.php:20
actionwphr_update_optionincludes\framework\settings\email.php:22
actionwphr_admin_field_integrationsincludes\framework\settings\integration.php:16
actionwphr_admin_field_licensesincludes\framework\settings\license.php:16
actionphpmailer_initincludes\functions.php:2076
actionadmin_enqueue_scriptsincludes\functions.php:2410
actionwp_enqueue_scriptsincludes\functions.php:2411
filterthe_titleincludes\functions.php:2825
filterwphr_settings_pagesmodules\hrm\hrm.php:94
actionuser_registermodules\hrm\includes\actions-filters.php:5
actiondelete_usermodules\hrm\includes\actions-filters.php:6
actionset_user_rolemodules\hrm\includes\actions-filters.php:7
actionwphr_hr_employee_newmodules\hrm\includes\actions-filters.php:10
actionwphr_daily_scheduled_eventsmodules\hrm\includes\actions-filters.php:11
actionwphr_daily_scheduled_eventsmodules\hrm\includes\actions-filters.php:12
actionwphr_daily_scheduled_eventsmodules\hrm\includes\actions-filters.php:13
actionwphr_hr_leave_policy_newmodules\hrm\includes\actions-filters.php:14
actionwphr_hr_schedule_announcement_emailmodules\hrm\includes\actions-filters.php:15
filterwphr_map_meta_capsmodules\hrm\includes\actions-filters.php:18
filteruser_has_capmodules\hrm\includes\actions-filters.php:19
filtereditable_rolesmodules\hrm\includes\actions-filters.php:20
filterwoocommerce_prevent_admin_accessmodules\hrm\includes\actions-filters.php:21
actionadmin_menumodules\hrm\includes\admin\class-menu.php:14
actionwphr_user_profile_rolemodules\hrm\includes\admin\class-user-profile.php:34
actionwphr_update_usermodules\hrm\includes\admin\class-user-profile.php:35
filterparent_filemodules\hrm\includes\class-announcement.php:74
actionwphr_action_hr-leave-assign-policymodules\hrm\includes\class-form-handler.php:20
actionwphr_action_hr-leave-req-newmodules\hrm\includes\class-form-handler.php:21
actionwphr_action_wphr-hr-employee-permissionmodules\hrm\includes\class-form-handler.php:24
actionadmin_initmodules\hrm\includes\class-form-handler.php:26
actionadmin_initmodules\hrm\includes\class-form-handler.php:27
actionadmin_initmodules\hrm\includes\class-form-handler.php:28
actionload-toplevel_page_wphr-leavemodules\hrm\includes\class-form-handler.php:37
actionwphr_hr_dashboard_widgets_rightmodules\hrm\includes\functions-dashboard-widgets.php:70
actionwphr_hr_dashboard_widgets_leftmodules\hrm\includes\functions-dashboard-widgets.php:71
actionwp_footermodules\hrm\includes\functions-dashboard-widgets.php:458
actionadmin_footermodules\hrm\includes\functions-dashboard-widgets.php:459
actiontemplate_redirectmodules\wp-hr-frontend\includes\class-form-handler.php:19
actiontemplate_redirectmodules\wp-hr-frontend\includes\class-form-handler.php:20
actionwp_footermodules\wp-hr-frontend\includes\class-scripts.php:41
filterwphr_settings_hr_sectionsmodules\wp-hr-frontend\includes\class-settings.php:36
filterwphr_settings_hr_section_fieldsmodules\wp-hr-frontend\includes\class-settings.php:37
actionadmin_noticesmodules\wp-hr-frontend\wp-hr-frontend.php:47
actioninitmodules\wp-hr-frontend\wp-hr-frontend.php:50
actionwphr_hrm_loadedmodules\wp-hr-frontend\wp-hr-frontend.php:57
actioninitmodules\wp-hr-frontend\wp-hr-frontend.php:183
actionwp_footermodules\wp-hr-frontend\wp-hr-frontend.php:184
filterwphr_hr_employee_tab_urlmodules\wp-hr-frontend\wp-hr-frontend.php:196
filterwphr_hr_employee_list_urlmodules\wp-hr-frontend\wp-hr-frontend.php:197
filterconnect_urlwp-hr-manager.php:90
filterafter_skip_urlwp-hr-manager.php:91
filterafter_connect_urlwp-hr-manager.php:92
filterafter_pending_connect_urlwp-hr-manager.php:93
actioninitwp-hr-manager.php:309
actionwphr_loadedwp-hr-manager.php:313
actionwphr_loadedwp-hr-manager.php:315

Scheduled Events 8

wphr_per_minute_scheduled_events
wphr_daily_scheduled_events
wphr_weekly_scheduled_events
wphr_crm_inbound_email_scheduled_events
wphr_per_minute_scheduled_events
wphr_daily_scheduled_events
wphr_weekly_scheduled_events
wphr_hr_schedule_announcement_email
Maintenance & Trust

WP-HR Manager: The Human Resources Plugin for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedMar 27, 2025
PHP min version
Downloads46K

Community Trust

Rating40/100
Number of ratings5
Active installs300
Alternatives

WP-HR Manager: The Human Resources Plugin for WordPress Alternatives

Clockinator Lite

Clockinator Lite

clockify-lite

B
79

Clockinator Lite is a powerful and easy-to-use employee and attendance management plugin for WordPress.

100 1 unpatched
Hr Press Lite

Hr Press Lite

hr-press-lite

A
100

Hr Press Lite is a modern Employee Management System to track attendance, breaks, and manage employees efficiently. HRM (Human Resource Management) is &hellip;

50 No CVEs
HRappka.pl

HRappka.pl

hrappka-pl

A
85

HRappka.pl plugin creates list of job offers and offers description pages with application link. * Account in HRappka.pl system is required for prope &hellip;

10 No CVEs
ERP: Complete HR, Accounting & CRM Suite with WooCommerce CRM Support

ERP: Complete HR, Accounting & CRM Suite with WooCommerce CRM Support

erp

A
88

Manage your business with a complete ERP system featuring powerful HR management, CRM tools, accounting, and seamless WooCommerce CRM integration.

6K 20 CVEs
HR Management Lite

HR Management Lite

hr-management-lite

C
56

HR Plugin for WordPress to Manage the HR works and the Projects.

300 2 unpatched
Developer Profile

WP-HR Manager: The Human Resources Plugin for WordPress Developer Profile

wphrmanager

2 plugins · 310 total installs

80
trust score
Avg Security Score
88/100
Avg Patch Time
85 days
View full developer profile
Detection Fingerprints

How We Detect WP-HR Manager: The Human Resources Plugin for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-hr-manager/assets/css/admin.css/wp-content/plugins/wp-hr-manager/assets/css/frontend.css/wp-content/plugins/wp-hr-manager/assets/css/wphr-frontend.css/wp-content/plugins/wp-hr-manager/assets/js/admin.js/wp-content/plugins/wp-hr-manager/assets/js/frontend.js/wp-content/plugins/wp-hr-manager/assets/js/wphr-frontend.js/wp-content/plugins/wp-hr-manager/assets/js/wphr-admin-global.js/wp-content/plugins/wp-hr-manager/assets/css/wphr-style.css
Script Paths
/wp-content/plugins/wp-hr-manager/freemius/start.php
Version Parameters
wp-hr-manager/assets/css/admin.css?ver=wp-hr-manager/assets/css/frontend.css?ver=wp-hr-manager/assets/css/wphr-frontend.css?ver=wp-hr-manager/assets/js/admin.js?ver=wp-hr-manager/assets/js/frontend.js?ver=wp-hr-manager/assets/js/wphr-frontend.js?ver=wp-hr-manager/assets/js/wphr-admin-global.js?ver=wp-hr-manager/assets/css/wphr-style.css?ver=

HTML / DOM Fingerprints

CSS Classes
wphr-btnwphr-labelwphr-employee-listwphr-employee-detailswphr-leave-requestwphr-performance-reviewwphr-training-listwphr-job-listing
Data Attributes
data-wphr-ajaxdata-wphr-noncedata-wphr-action
JS Globals
wphr_frontend_datawphr_admin_dataWPHR_Admin
REST Endpoints
/wp-json/wphr/v1/
Shortcode Output
[wphr_employee_directory][wphr_leave_request_form][wphr_performance_review_form]
FAQ

Frequently Asked Questions about WP-HR Manager: The Human Resources Plugin for WordPress