CVE-2025-5956 is a security vulnerability identified in the WP Human Resource Management plugin for WordPress, specifically affecting versions 2.0.0 through 2.2.17. The vulnerability arises from a missing authorization check in the ajax_delete_employee() function. This function processes a client-supplied $_POST['delete'] array containing user IDs intended for deletion. Critically, the function directly passes these IDs to the WordPress core function wp_delete_user() without verifying whether the requesting user has the necessary 'delete_users' capability or restricting which user accounts can be deleted. As a result, any authenticated user with Employee-level access or higher can exploit this flaw to delete arbitrary user accounts, including those with administrative privileges. The vulnerability is classified under CWE-862 (Missing Authorization) and has a CVSS v3.1 base score of 6.5, indicating a medium severity level. The attack vector is network-based (remote), requires low attack complexity, and privileges equivalent to an authenticated user with limited rights (PR:L). No user interaction is required for exploitation, and the impact is primarily on integrity, as unauthorized deletion of user accounts compromises the trustworthiness and operational continuity of the affected system. There are no known exploits in the wild as of the publication date, and no official patches have been linked yet. The vulnerability could allow attackers to disrupt organizational operations by removing critical user accounts, potentially locking out legitimate users and administrators, and causing significant administrative overhead to recover from such incidents.

For European organizations using WordPress with the WP Human Resource Management plugin, this vulnerability poses a significant risk to user account integrity and operational stability. Unauthorized deletion of user accounts, especially administrators, can lead to loss of control over the HR management system, disruption of HR workflows, and potential exposure to further attacks if administrative access is lost or compromised. Organizations relying on this plugin for employee data management may face operational downtime, data inconsistency, and increased risk of insider threats if malicious employees exploit this flaw. Additionally, GDPR compliance could be impacted if user data management is disrupted or if unauthorized deletions lead to data loss or inability to maintain accurate records. The medium CVSS score reflects the moderate but tangible risk, especially in environments where multiple users have at least Employee-level access. The absence of required user interaction and the low complexity of exploitation increase the likelihood of internal threat actors or compromised accounts abusing this vulnerability.

To mitigate this vulnerability, European organizations should immediately audit their WordPress installations to identify the presence of the WP Human Resource Management plugin versions 2.0.0 through 2.2.17. Until an official patch is released, organizations should implement the following specific measures: 1) Restrict plugin usage to trusted administrators only by limiting Employee-level access or higher to only essential personnel. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious AJAX requests targeting the ajax_delete_employee() endpoint, especially those attempting mass user deletions. 3) Implement monitoring and alerting on user deletion events within WordPress to quickly detect unauthorized deletions. 4) Consider temporarily disabling or removing the plugin if it is not critical to operations. 5) Review and tighten WordPress user role permissions to minimize the number of users with deletion capabilities. 6) Once available, promptly apply official patches or updates from the plugin vendor. 7) Conduct regular backups of user data and WordPress configurations to enable rapid restoration in case of exploitation. These targeted actions go beyond generic advice by focusing on access control, monitoring, and proactive defense tailored to the vulnerability's exploitation vector.