Crew HRM WordPress Plugin Authorization Bypass Vulnerability
The Employee, Leave and Recruitment Management System – Crew HRM plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete, archive, unarchive, and duplicate arbitrary job listings — along with their associated stages, meta, addresses, and applications — by supplying an arbitrary integer job_id. The nonce verified by Dispatcher::dispatch() is exposed to all authenticated front-end visitors via wp_head script localization, meaning subscribers can trivially obtain it and satisfy the nonce check without possessing any elevated privilege.
Quick answer
Employee, Leave and Recruitment Management System - Crew HRM should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Crew HRM up to and including 1.2.2
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
Crew HRM is affected by CVE-2026-9237. The vulnerable versions allow an attacker to abuse a missing authorization, capability, or nonce check: subscriber-level users can modify job listings because job actions do not enforce the right capability checks. Update or disable the plugin first on public WordPress and WooCommerce sites.
- Inventory every WordPress site where Crew HRM is installed and enabled.
- Update Crew HRM beyond the affected version 1.2.2 when a vendor-fixed release is available.
- Disable the plugin temporarily if the affected workflow is exposed and no fixed release is available.
- Remove unnecessary subscriber accounts and review recently created low-privilege users.
- Restrict the vulnerable AJAX or REST actions with WAF rules until the plugin is patched.
- Review WordPress, WooCommerce, and plugin logs for suspicious requests targeting the affected action or order/job/quote identifiers.
- Clear page, object, and CDN caches after patching so old localized nonce or JavaScript data is not reused.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm Crew HRM is not running version 1.2.2 or older.
- Test the affected action as a subscriber or unauthenticated user in staging and confirm the request is rejected.
- Verify legitimate administrator or shop-manager workflows still work after the update.
- Review recent content, labels, quotes, orders, or settings for unauthorized changes.
- Run a Fixnx scan and confirm public WordPress exposure signals have been rechecked.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-9237?
Employee, Leave and Recruitment Management System - Crew HRM versions listed as affected should be reviewed: Crew HRM up to and including 1.2.2.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
