The Mamurjor Employee Info plugin for WordPress suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-13990, affecting all versions up to and including 1.0.0. The root cause is the absence of nonce validation on several administrative functions within the plugin. Nonces are security tokens used to verify that requests originate from legitimate users and not from malicious third parties. Without nonce checks, attackers can craft malicious requests that, when executed by an authenticated administrator (via clicking a link or visiting a malicious site), perform unauthorized actions on the WordPress site. These actions include creating, updating, or deleting employee records, departments, designations, salary grades, education records, and salary payments. The vulnerability does not require the attacker to be authenticated but does require the administrator to interact with the malicious request, making social engineering a key exploitation vector. The CVSS 3.1 base score of 4.3 reflects a medium severity, with no impact on confidentiality or availability but a partial impact on data integrity. No patches or fixes are currently linked, and no known exploits are in the wild. This vulnerability highlights the importance of implementing nonce validation in WordPress plugins to prevent CSRF attacks.

The primary impact of this vulnerability is the potential unauthorized modification of sensitive employee data within the affected WordPress sites. Attackers can manipulate critical HR-related information such as employee records, departmental structures, salary information, and educational credentials. This can lead to data integrity issues, loss of trust, and potential regulatory compliance violations, especially in organizations subject to data protection laws. Although confidentiality and availability are not directly affected, the integrity compromise can disrupt HR operations and payroll processing. Organizations relying on the Mamurjor Employee Info plugin may face operational challenges, reputational damage, and increased risk of insider threats if attackers leverage this vulnerability for malicious purposes. The requirement for administrator interaction reduces the likelihood of widespread automated exploitation but does not eliminate risk, especially in environments with less security awareness.

To mitigate this vulnerability, organizations should immediately verify whether they use the Mamurjor Employee Info plugin and upgrade to a patched version once available. In the absence of an official patch, administrators or developers should implement nonce validation on all administrative actions within the plugin to ensure requests are legitimate. Additionally, organizations should educate WordPress administrators about the risks of CSRF and social engineering attacks, emphasizing caution when clicking on unsolicited links or visiting untrusted websites while logged into administrative accounts. Employing web application firewalls (WAFs) with rules to detect and block CSRF attempts can provide an additional layer of defense. Restricting administrative access to trusted IP addresses and enforcing multi-factor authentication (MFA) can further reduce exploitation risk. Regular security audits of WordPress plugins and monitoring for unusual administrative activity are also recommended.