WP Human Resource Management Missing Authorization Vulnerability Allowing Arbitrary User Deletion

A vulnerability in the WP Human Resource Management plugin for WordPress, affecting versions 2.0.0 to 2.2.17, allows for arbitrary user deletion. This issue arises from a missing authorization in the 'ajax_delete_employee()' function. The function directly passes user IDs from the client-supplied 'delete' array to 'wp_delete_user()' without verifying if the caller has the 'delete_users' capability or restricting which user IDs can be deleted. As a result, authenticated attackers with Employee-level access or higher can delete any user account, including those of administrators.

Impact

Exploitation of this vulnerability could lead to the unauthorized deletion of user accounts, including administrators, from the WordPress site.

Reproduction

To reproduce this vulnerability, an authenticated user with Employee-level access or higher can send a request to the 'wp_ajax_hrm_delete_employee' action. This request must include the 'delete' array in the '$_POST' data, containing the IDs of the users to be deleted. The absence of proper authorization checks in the 'ajax_delete_employee()' function will allow the specified user IDs to be deleted without restriction.

Remediation

No known patch is available. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.