[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$feIW3CWmHieMkNxe9lS-baa6jKz-oHmnNjyy4XRlGjq8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-2720","hr-press-lite-missing-authorization-to-authenticated-subscriber-sensitive-employee-information-exposure","Hr Press Lite \u003C= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Employee Information Exposure","The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the `hrp-fetch-employees` AJAX action in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive employee information including names, email addresses, phone numbers, salary\u002Fpay rates, employment dates, and employment status.","hr-press-lite",null,"\u003C=1.0.2","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Missing Authorization","2026-03-20 15:15:10","2026-04-15 17:55:02",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd2a63b8e-e16e-4702-be1b-acc5c3e74b22?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-2720 (Hr Press Lite)\n\n## 1. Vulnerability Summary\nThe **Hr Press Lite** plugin (\u003C= 1.0.2) is vulnerable to sensitive information exposure due to a missing authorization check (capability check) in the AJAX handler for the action `hrp-fetch-employees`. While the handler is registered via `wp_ajax_`, which restricts access to authenticated users, it fails to verify if the authenticated user has the necessary permissions (e.g., `manage_options` or `hrp_manage_employees`) to view sensitive employee data. This allows any user with a **Subscriber** role or higher to retrieve a full list of employees, including private details like salary, phone numbers, and employment status.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `hrp-fetch-employees`\n- **Method:** `POST` (typically for AJAX actions in this plugin) or `GET`.\n- **Vulnerable Parameter:** The action itself triggers the data dump. There may be optional pagination or search parameters (e.g., `length`, `start`, `search[value]`) if the plugin uses DataTables.\n- **Authentication:** Authenticated user session (Subscriber role is sufficient).\n- **Preconditions:** At least one employee record must exist in the plugin's database to demonstrate data exposure.\n\n## 3. Code Flow (Inferred)\n1. **Registration:** The plugin registers the AJAX hook in a file like `includes\u002Fclass-hrp-ajax.php` or the main plugin file:\n   ```php\n   add_action( 'wp_ajax_hrp-fetch-employees', array( $this, 'hrp_fetch_employees' ) );\n   ```\n2. **Handler Entry:** The function `hrp_fetch_employees()` is called when the `admin-ajax.php` request is processed.\n3. **Missing Check:** The handler likely checks for a nonce (for CSRF) but fails to call `current_user_can()`.\n4. **Data Retrieval:** The function queries a custom table (e.g., `{$wpdb->prefix}hrp_employees`) using `$wpdb->get_results()`.\n5. **Sink:** The results, including sensitive columns like `salary`, `pay_rate`, and `phone`, are passed to `wp_send_json_success()` or `echo json_encode()`.\n\n## 4. Nonce Acquisition Strategy\nThe AJAX handler likely implements a nonce check using `check_ajax_referer` or `wp_verify_nonce`.\n- **Nonce Action:** Likely `hrp-nonce`, `hrp_ajax_nonce`, or `hrp-fetch-employees` (inferred).\n- **Localization Key:** The plugin likely uses `wp_localize_script` to pass the nonce to the frontend.\n- **Strategy:**\n    1. Log in as a **Subscriber** user.\n    2. Navigate to a page where the Hr Press Lite scripts are loaded. If the scripts only load on admin pages, check if the plugin adds a menu item for subscribers (unlikely) or if it enqueues scripts on the profile page.\n    3. If no public\u002Fsubscriber page enqueues the script, check the main dashboard (`\u002Fwp-admin\u002Findex.php`).\n    4. **JS Variable Search:** Use `browser_eval` to search for localized objects. Common prefixes: `hrp_ajax`, `hrp_obj`, or `hrp_vars`.\n    5. **Execution Command:** `browser_eval(\"window.hrp_ajax_obj?.nonce\")` (inferred name).\n\n## 5. Exploitation Strategy\n### Step 1: Authentication\nAuthenticate as a Subscriber user and maintain the session cookies.\n\n### Step 2: Nonce Extraction\nNavigate to the WordPress dashboard as the Subscriber and extract the nonce.\n- **URL:** `\u002Fwp-admin\u002Findex.php`\n- **Tool:** `browser_eval` to find the nonce in the global JS scope.\n\n### Step 3: Data Extraction Request\nSend a POST request to the AJAX endpoint with the identified action and nonce.\n- **Tool:** `http_request`\n- **Request Details:**\n  ```http\n  POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n  Content-Type: application\u002Fx-www-form-urlencoded\n\n  action=hrp-fetch-employees&security=[NONCE_VALUE]\n  ```\n  *(Note: The nonce parameter name might be `security`, `_wpnonce`, or `nonce`—this must be verified during the research phase via `grep` on the source code.)*\n\n### Step 4: Response Parsing\nAnalyze the JSON response. A successful exploit will return a JSON object containing an array of employee records with keys like:\n- `first_name`, `last_name`\n- `email`\n- `phone`\n- `salary` \u002F `pay_rate` (The critical sensitive data)\n- `joining_date`\n\n## 6. Test Data Setup\nTo ensure a successful PoC, the environment must be seeded with employee data:\n1. **Create Employee:** Use the WordPress admin (as Administrator) to navigate to the Hr Press Lite menu and add an employee.\n   - **Name:** \"John Doe\"\n   - **Email:** \"john@example.com\"\n   - **Salary:** \"50000\"\n   - **Phone:** \"555-0199\"\n2. **Create Attacker:** Create a user with the `subscriber` role.\n   - `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n\n## 7. Expected Results\n- **Status Code:** 200 OK\n- **Response Body:** A JSON string containing the full list of employees.\n- **Example:**\n  ```json\n  {\n    \"success\": true,\n    \"data\": [\n      {\n        \"id\": \"1\",\n        \"first_name\": \"John\",\n        \"last_name\": \"Doe\",\n        \"email\": \"john@example.com\",\n        \"phone\": \"555-0199\",\n        \"salary\": \"50000\",\n        ...\n      }\n    ]\n  }\n  ```\n\n## 8. Verification Steps\n1. **Confirm Role:** Use `wp user get attacker` to verify the user is only a Subscriber.\n2. **Compare Data:** Compare the JSON output from the exploit with the actual database content:\n   - `wp db query \"SELECT * FROM wp_hrp_employees;\"` (or the appropriate table name found via `wp db tables`).\n3. **Verify Lack of Auth:** Check the plugin source code for the `hrp_fetch_employees` function to confirm there is no `current_user_can()` call.\n\n## 9. Alternative Approaches\n- **Parameter Brute-forcing:** If `action=hrp-fetch-employees` returns nothing, try adding DataTables parameters: `draw=1&start=0&length=10`.\n- **Direct Database ID:** If the endpoint requires a specific ID, try `action=hrp-fetch-employees&id=1`.\n- **Search Query:** Try `action=hrp-fetch-employees&search[value]=@` to force a wildcard search if the default response is empty.\n- **Bypassing Nonce:** If the nonce is required but hard to find, check if `check_ajax_referer( '...', '...', false )` is used (the `false` third argument prevents `die()`, allowing potential bypass).","The Hr Press Lite plugin for WordPress is vulnerable to sensitive information exposure due to a missing authorization check in the `hrp-fetch-employees` AJAX handler. This allows authenticated users with Subscriber-level permissions or higher to retrieve private employee data, including salary details, contact information, and employment status.","\u002F\u002F Inferred from registration hook in plugin source\nadd_action( 'wp_ajax_hrp-fetch-employees', array( $this, 'hrp_fetch_employees' ) );\n\n---\n\n\u002F\u002F Likely handler logic without capability checks\npublic function hrp_fetch_employees() {\n    check_ajax_referer( 'hrp-nonce', 'security' );\n\n    global $wpdb;\n    $table_name = $wpdb->prefix . 'hrp_employees';\n    $results = $wpdb->get_results( \"SELECT * FROM $table_name\" );\n\n    wp_send_json_success( $results );\n}","--- a\u002Fincludes\u002Fclass-hrp-ajax.php\n+++ b\u002Fincludes\u002Fclass-hrp-ajax.php\n@@ -10,6 +10,10 @@\n \tpublic function hrp_fetch_employees() {\n \t\tcheck_ajax_referer( 'hrp-nonce', 'security' );\n \n+\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\twp_send_json_error( array( 'message' => 'Unauthorized' ) );\n+\t\t}\n+\n \t\tglobal $wpdb;\n \t\t$table_name = $wpdb->prefix . 'hrp_employees';\n \t\t$results = $wpdb->get_results( \"SELECT * FROM $table_name\" );","The exploit involves authenticating as a low-privileged user (Subscriber) and triggering the vulnerable AJAX action. 1. Log in to the WordPress site as a Subscriber. 2. Extract the AJAX security nonce from the global JavaScript scope (commonly localized under objects like hrp_ajax_obj). 3. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the action parameter set to 'hrp-fetch-employees' and the extracted nonce in the security parameter. 4. The server returns a JSON object containing full employee records, including sensitive fields such as salary, phone numbers, and joining dates.","gemini-3-flash-preview","2026-04-18 00:51:35","2026-04-18 00:51:53",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhr-press-lite\u002Ftags"]