WP ERP < 1.13.4 – Unauthorized Access to Terminated Employee Information | CVE 2024-12812 | Plugin Vulnerabilities

Description

The plugin is affected by an IDOR issue, as employees can manipulate parameters to access the data of terminated employees

Proof of Concept

In the "People > Employees" section of the plugin, configure the following:

Employee A - Active (id=1)
Employee B - Terminated (id=2)
Employee C - Active (id=3)

Steps:

1. Login as Employee A. 
2. Employee A has access to People Employees (Only Employee A and Employee C are displayed as employees)
3. Employee A open Employee C profile
4. Employee A copy Employee C's profile URL and change the `id` to the ID of Employee B
5. They will then see the profile of the terminated employee

http://example.com/wp-admin/admin.php?page=erp-hr&section=my-profile&action=view&id=2

Affects Plugins

Fixed in 1.13.4

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Pedro Cuco (Illex)

Submitter

Pedro Cuco (Illex)

Submitter twitter

Verified

Yes

WPVDB ID

757e76fd-830f-4d1c-8b89-dfad7c9c1f37

Timeline

Publicly Published

2024-11-12 (about 1 year ago)

Added

2025-03-03 (about 9 months ago)

Last Updated

2025-08-22 (about 4 months ago)

Other

Published

Title

Published

2025-05-08

Title

WPBookit < 1.0.3 - Insecure Direct Object Reference to Unauthenticated Privilege Escalation via Email Update

Published

2022-10-21

Title

Quiz And Survey Master < 7.3.7 - Multiple Author+ IDOR

Published

2025-11-24

Title

Admin and Customer Messages After Order for WooCommerce: OrderConvo <= 14 - Missing Authorization to Unauthenticated User Impersonation in Order Messages

Published

2024-11-20

Title

Button Block – Get fully customizable & multi-functional buttons < 1.1.5 - Authenticated (Contributor+) Post Disclosure

Published

2023-10-22

Title

wpDiscuz < 7.6.4 - Author+ IDOR