CVE-2024-12812 is a high-severity vulnerability classified under CWE-284 (Improper Access Control) affecting the WordPress plugin "WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting" prior to version 1.13.4. This plugin provides enterprise resource planning functionalities including human resources management, recruitment, job listings, customer relationship management, and accounting within WordPress environments. The vulnerability arises because employees using the plugin can manipulate request parameters to gain unauthorized access to sensitive data belonging to terminated employees. This indicates a failure in enforcing proper access control checks on sensitive HR data, allowing unauthorized disclosure of confidential information. The CVSS 3.1 base score is 7.5, reflecting a network exploitable vulnerability (AV:N) with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is primarily on confidentiality (C:H), with no direct impact on integrity or availability. The vulnerability does not require authentication, making it easier for attackers to exploit remotely if the plugin is publicly accessible. No known exploits are reported in the wild yet, and no official patch links are provided in the data, but the issue is fixed in version 1.13.4 or later. The vulnerability could expose sensitive personal data of former employees, potentially violating data protection regulations and damaging organizational trust and compliance posture.

For European organizations, the impact of this vulnerability is significant due to the sensitive nature of HR data involved, including personal identifiable information (PII) of terminated employees. Unauthorized access to such data can lead to privacy violations under the EU's General Data Protection Regulation (GDPR), resulting in legal penalties and reputational damage. Organizations using this plugin for HR and accounting functions risk exposure of confidential employee records, which could be exploited for identity theft, social engineering, or insider threats. The breach of terminated employees' data may also affect compliance with labor laws and contractual confidentiality obligations. Since the vulnerability can be exploited remotely without authentication, attackers can potentially access data without insider credentials, increasing the risk surface. The lack of impact on integrity and availability means the threat is primarily data leakage rather than system disruption, but the confidentiality breach alone is critical in regulated environments. This vulnerability could undermine trust in HR systems and complicate audits and compliance reporting for European companies.

European organizations should immediately verify the version of the WP ERP plugin in use and upgrade to version 1.13.4 or later where the vulnerability is patched. If upgrading is not immediately possible, organizations should implement strict access controls at the web server or application firewall level to restrict access to HR-related endpoints only to authorized personnel and IP ranges. Conduct thorough audits of user permissions within the WordPress environment to ensure that only necessary employees have access to sensitive HR modules. Employ logging and monitoring to detect unusual access patterns or parameter manipulation attempts targeting employee data. Additionally, organizations should review and enhance their data protection policies to ensure rapid incident response in case of data exposure. Regularly scanning WordPress plugins for vulnerabilities and applying security patches promptly is critical. Consider isolating HR and accounting plugins on separate instances or environments to limit exposure. Finally, conduct employee training on security best practices and the importance of safeguarding sensitive HR information.