The WP Human Resource Management plugin for WordPress, developed by asaquzzaman, contains a critical authorization bypass vulnerability identified as CVE-2025-5956. This vulnerability exists in versions 2.0.0 through 2.2.17 within the ajax_delete_employee() function, which handles deletion requests for employee user accounts. The function processes a client-supplied $_POST['delete'] array containing user IDs to be deleted and calls WordPress's wp_delete_user() function directly on each ID. Crucially, the plugin fails to verify whether the requesting user has the 'delete_users' capability or restrict which user IDs can be deleted. As a result, any authenticated user with at least Employee-level access can delete arbitrary user accounts, including administrators, without proper authorization. This leads to a serious integrity violation, as attackers can remove critical accounts, potentially locking out legitimate administrators and disrupting site management. The vulnerability does not require user interaction beyond sending a crafted POST request and can be exploited remotely over the network. The CVSS v3.1 score is 6.5 (medium), reflecting the ease of exploitation with limited privileges and the high impact on integrity. No patches or official fixes have been published at the time of disclosure, and no known exploits are currently in the wild. However, the vulnerability poses a significant risk to organizations relying on this plugin for HR management on WordPress sites.

This vulnerability allows authenticated users with minimal privileges (Employee-level or above) to delete any user account, including administrators. The impact is primarily on integrity, as unauthorized deletion of accounts can disrupt normal operations, cause denial of administrative access, and potentially lead to loss of control over the WordPress site. Organizations may face operational downtime, loss of critical user data, and increased risk of further compromise if administrative accounts are removed. The absence of authorization checks means that attackers can escalate their influence by removing higher-privileged users, effectively performing privilege escalation through account deletion. Although availability and confidentiality impacts are limited, the integrity breach can have cascading effects on organizational security posture and trustworthiness of the affected systems.

Immediate mitigation involves restricting access to the vulnerable ajax_delete_employee() function by limiting Employee-level user capabilities or disabling the plugin until a patch is available. Administrators should audit user roles and permissions to ensure that only trusted users have Employee-level or higher access. Implementing Web Application Firewall (WAF) rules to detect and block suspicious POST requests targeting the deletion endpoint can reduce exploitation risk. Monitoring logs for unusual user deletion activities is critical for early detection. Since no official patch is available, organizations can consider applying custom code fixes to add proper authorization checks verifying the 'delete_users' capability and restricting deletions to authorized user IDs only. Regular backups of user data and site configurations should be maintained to enable recovery from unauthorized deletions. Finally, organizations should track vendor updates and apply patches promptly once released.