CVE-2025-13990: CWE-352 Cross-Site Request Forgery (CSRF) in mamurjor Mamurjor Employee Info
The Mamurjor Employee Info plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to create, update, or delete employee records, departments, designations, salary grades, education records, and salary payments via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AI Analysis
Technical Summary
CVE-2025-13990 is a CSRF vulnerability in the Mamurjor Employee Info WordPress plugin affecting all versions up to 1.0.0. The issue arises from missing nonce validation on administrative functions, enabling attackers to forge requests that manipulate employee records, departments, designations, salary grades, education records, and salary payments if a site administrator is tricked into executing the malicious request. The vulnerability has a CVSS 3.1 base score of 4.3, indicating medium severity. No patch or remediation guidance is currently provided, and the plugin is not a cloud service.
Potential Impact
An attacker can cause an authenticated administrator to unknowingly perform unauthorized actions such as creating, updating, or deleting sensitive employee information within the plugin. This can lead to data integrity issues but does not directly impact confidentiality or availability according to the CVSS vector. There are no reports of active exploitation in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should exercise caution when interacting with untrusted links or content that could trigger administrative actions in the plugin. Applying strict access controls and limiting administrator exposure to untrusted content may reduce risk.
CVE-2025-13990: CWE-352 Cross-Site Request Forgery (CSRF) in mamurjor Mamurjor Employee Info
Description
The Mamurjor Employee Info plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to create, update, or delete employee records, departments, designations, salary grades, education records, and salary payments via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-13990 is a CSRF vulnerability in the Mamurjor Employee Info WordPress plugin affecting all versions up to 1.0.0. The issue arises from missing nonce validation on administrative functions, enabling attackers to forge requests that manipulate employee records, departments, designations, salary grades, education records, and salary payments if a site administrator is tricked into executing the malicious request. The vulnerability has a CVSS 3.1 base score of 4.3, indicating medium severity. No patch or remediation guidance is currently provided, and the plugin is not a cloud service.
Potential Impact
An attacker can cause an authenticated administrator to unknowingly perform unauthorized actions such as creating, updating, or deleting sensitive employee information within the plugin. This can lead to data integrity issues but does not directly impact confidentiality or availability according to the CVSS vector. There are no reports of active exploitation in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should exercise caution when interacting with untrusted links or content that could trigger administrative actions in the plugin. Applying strict access controls and limiting administrator exposure to untrusted content may reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-03T17:09:09.632Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 695e4c117349d0379d7d569b
Added to database: 1/7/2026, 12:05:37 PM
Last enriched: 4/9/2026, 4:40:08 PM
Last updated: 5/8/2026, 8:19:44 AM
Views: 105
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.