The Hr Press Lite plugin for WordPress, up to version 1.0.2, contains a missing authorization vulnerability (CWE-862) identified as CVE-2026-2720. This vulnerability arises because the plugin fails to perform proper capability checks on the 'hrp-fetch-employees' AJAX action. As a result, any authenticated user with at least Subscriber-level privileges can invoke this AJAX endpoint and retrieve sensitive employee information such as names, email addresses, phone numbers, salary or pay rates, employment dates, and employment status. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network (AV:N). The attack complexity is low (AC:L), and the attacker only needs low privileges (PR:L). The scope is unchanged (S:U), and the impact is primarily on confidentiality (C:H), with no impact on integrity or availability. The CVSS v3.1 base score is 6.5, indicating a medium severity level. No patches or fixes have been published at the time of this report, and no known exploits are currently observed in the wild. The vulnerability is significant because it exposes sensitive HR data, which can lead to privacy violations, insider threats, or targeted social engineering attacks. The plugin is used by organizations relying on WordPress for HR management, making them vulnerable if they have not updated or mitigated the issue.

The primary impact of CVE-2026-2720 is the unauthorized disclosure of sensitive employee data, which can severely compromise employee privacy and organizational confidentiality. Exposure of salary information and employment details can lead to insider threats, targeted phishing or social engineering campaigns, and potential regulatory compliance violations (e.g., GDPR, HIPAA). Since the vulnerability requires only Subscriber-level access, attackers could leverage compromised low-privilege accounts or social engineering to gain initial access and then exploit this flaw to escalate data access. Organizations using Hr Press Lite for HR management on WordPress sites face risks of data breaches that can damage reputation, incur legal penalties, and result in financial losses. Although the vulnerability does not affect system integrity or availability, the confidentiality breach alone is significant. The lack of patches increases the window of exposure, and the ease of exploitation makes it attractive for attackers targeting HR data.

Until an official patch is released, organizations should implement the following mitigations: 1) Restrict access to the 'hrp-fetch-employees' AJAX endpoint via web application firewalls or custom server rules to allow only trusted roles or IP addresses. 2) Audit and minimize the number of users with Subscriber-level or higher privileges, ensuring that only necessary personnel have access. 3) Monitor WordPress user accounts for suspicious activity, including unexpected login attempts or privilege escalations. 4) Consider temporarily disabling or uninstalling the Hr Press Lite plugin if feasible, or replacing it with a more secure HR management solution. 5) Implement network segmentation and access controls to limit exposure of the WordPress environment. 6) Regularly review and update WordPress core, plugins, and themes to reduce attack surface. 7) Educate users about phishing and credential security to prevent account compromise. 8) Once available, promptly apply vendor patches or updates addressing this vulnerability.