CVE-2025-13990 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Mamurjor Employee Info plugin for WordPress, affecting all versions up to and including 1.0.0. The root cause is the absence of nonce validation on multiple administrative functions within the plugin. Nonces are security tokens used to verify that requests originate from legitimate users and not from malicious third parties. Without nonce checks, attackers can craft malicious URLs or web requests that, when visited or triggered by an authenticated administrator, execute unauthorized actions. These actions include creating, updating, or deleting sensitive employee-related data such as employee records, departments, designations, salary grades, education records, and salary payments. The attack vector requires no prior authentication but does require user interaction, specifically an administrator clicking on a malicious link or visiting a crafted webpage. The vulnerability impacts the integrity of the data but does not affect confidentiality or availability directly. The CVSS 3.1 base score is 4.3 (medium severity), reflecting the ease of exploitation (no authentication needed) but requiring user interaction and limited impact scope. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved in December 2025 and published in January 2026 by Wordfence. Given the plugin’s administrative scope, exploitation could disrupt HR and payroll operations, leading to inaccurate employee data and potential compliance issues.

For European organizations, this vulnerability poses a risk to the integrity of critical employee information managed through the Mamurjor Employee Info plugin. Unauthorized modification or deletion of employee records, salary details, and departmental data could lead to payroll errors, compliance violations with labor laws and GDPR, and loss of trust in internal HR systems. Although the vulnerability does not expose confidential data directly, manipulation of employee data can have downstream effects on financial reporting and employee relations. The requirement for administrator interaction means social engineering or phishing campaigns targeting HR or IT administrators could be effective. Organizations relying on WordPress for HR management and using this plugin are at risk of operational disruption and reputational damage. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability is public. The medium severity rating indicates a moderate but actionable risk that should be addressed promptly to prevent potential exploitation.

To mitigate this vulnerability, organizations should first verify if they use the Mamurjor Employee Info plugin and identify affected versions (up to 1.0.0). Since no official patch is currently available, administrators should apply manual mitigations such as implementing nonce validation on all administrative functions within the plugin code to ensure requests are legitimate. Limiting administrative access to trusted personnel and enforcing multi-factor authentication can reduce the risk of successful social engineering. Additionally, administrators should be trained to recognize and avoid phishing attempts or suspicious links that could trigger CSRF attacks. Network-level protections, such as web application firewalls (WAFs), can be configured to detect and block suspicious POST requests targeting the plugin’s endpoints. Monitoring logs for unusual administrative actions or changes in employee data can help detect exploitation attempts early. Organizations should stay alert for official patches or updates from the vendor and apply them promptly once available. Finally, consider isolating HR management systems or using alternative plugins with stronger security postures if remediation is delayed.