mediumCVE-2026-9237

Crew HRM WordPress Plugin Authorization Bypass Vulnerability

The Employee, Leave and Recruitment Management System – Crew HRM plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete, archive, unarchive, and duplicate arbitrary job listings — along with their associated stages, meta, addresses, and applications — by supplying an arbitrary integer job_id. The nonce verified by Dispatcher::dispatch() is exposed to all authenticated front-end visitors via wp_head script localization, meaning subscribers can trivially obtain it and satisfy the nonce check without possessing any elevated privilege.

ProductEmployee, Leave and Recruitment Management System - Crew HRM
CVSS4.3
EPSSNot scored yet
UpdatedJuly 10, 2026

Quick answer

Employee, Leave and Recruitment Management System - Crew HRM should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Crew HRM up to and including 1.2.2

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

Crew HRM is affected by CVE-2026-9237. The vulnerable versions allow an attacker to abuse a missing authorization, capability, or nonce check: subscriber-level users can modify job listings because job actions do not enforce the right capability checks. Update or disable the plugin first on public WordPress and WooCommerce sites.

  1. Inventory every WordPress site where Crew HRM is installed and enabled.
  2. Update Crew HRM beyond the affected version 1.2.2 when a vendor-fixed release is available.
  3. Disable the plugin temporarily if the affected workflow is exposed and no fixed release is available.
  4. Remove unnecessary subscriber accounts and review recently created low-privilege users.
  5. Restrict the vulnerable AJAX or REST actions with WAF rules until the plugin is patched.
  6. Review WordPress, WooCommerce, and plugin logs for suspicious requests targeting the affected action or order/job/quote identifiers.
  7. Clear page, object, and CDN caches after patching so old localized nonce or JavaScript data is not reused.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm Crew HRM is not running version 1.2.2 or older.
  • Test the affected action as a subscriber or unauthenticated user in staging and confirm the request is rejected.
  • Verify legitimate administrator or shop-manager workflows still work after the update.
  • Review recent content, labels, quotes, orders, or settings for unauthorized changes.
  • Run a Fixnx scan and confirm public WordPress exposure signals have been rechecked.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-9237?

Employee, Leave and Recruitment Management System - Crew HRM versions listed as affected should be reviewed: Crew HRM up to and including 1.2.2.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.