ERP < 1.16.7 – Authenticated (Subscriber+) Information Exposure | CVE 2025-67546 | Plugin Vulnerabilities

Description

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.16.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.

Affects Plugins

Fixed in 1.16.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/e2159209-d220-4a80-bc67-430d37a16dea

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

daroo

Verified

No

WPVDB ID

9a717eba-73c8-49d1-8664-cbca10c7815e

Timeline

Publicly Published

2025-11-26 (about 5 months ago)

Added

2025-12-20 (about 5 months ago)

Last Updated

2025-12-20 (about 5 months ago)

Other

Published

Title

Published

2024-12-09

Title

Simple Restrict < 1.2.8 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

Published

2025-01-06

Title

Duplicate Post, Page and Any Custom Post < 3.5.6 - Authenticated (Contributor+) Post Disclosure via Post Duplication

Published

2024-07-13

Title

UsersWP < 1.2.12 - Users Information Disclosure

Published

2025-01-16

Title

WM Options Import Export <= 1.0.1 - Unauthenticated Information Exposure

Published

2025-08-11

Title

Elementor < 3.30.3 - Admin+ Arbitrary File Read via Image Import