CVE-2020-36735

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-36735
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-36735.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-36735
Published
2023-07-01T03:15:15Z
Modified
2025-02-02T00:52:17.520908Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.3. This is due to missing or incorrect nonce validation on the handleleavecalendarfilter, addenabledisableoptionsave, leavepolicies, processbulkaction, and processcrmcontact functions. This makes it possible for unauthenticated attackers to modify the plugins settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

References

Affected packages

Git / github.com/wp-erp/wp-erp

Affected ranges

Type
GIT
Repo
https://github.com/wp-erp/wp-erp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

v1.*

v1.0
v1.0.1
v1.1.0
v1.1.1
v1.1.10
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.3.0
v1.3.1
v1.3.10
v1.3.11
v1.3.12
v1.3.13
v1.3.14
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.5.0
v1.5.1
v1.5.10
v1.5.11
v1.5.12
v1.5.13
v1.5.14
v1.5.15
v1.5.16
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.6
v1.5.7
v1.5.8
v1.5.9
v1.6.0
v1.6.1
v1.6.2
v1.6.3