Platform
wordpress
Component
mamurjor-employee-info
Fixed in
1.0.1
CVE-2025-13990 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Mamurjor Employee Info plugin for WordPress. This flaw allows unauthenticated attackers to manipulate sensitive employee data, including records, departments, and salary information. The vulnerability impacts versions 1.0.0 through 1.0.0 of the plugin, and a fix is expected from the vendor.
The CSRF vulnerability in Mamurjor Employee Info allows an attacker to execute unauthorized actions on a WordPress site if a site administrator is tricked into clicking a malicious link. Specifically, an attacker could create, update, or delete employee records, departments, designations, salary grades, education records, and salary payments. This could lead to data breaches, unauthorized modifications to payroll systems, and potential financial fraud. The impact is amplified if the WordPress site manages sensitive employee data, as the attacker could gain control over critical information and potentially impersonate administrators.
CVE-2025-13990 was publicly disclosed on 2026-01-07. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability has not been added to the CISA KEV catalog at the time of writing.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13990 is to upgrade to a patched version of the Mamurjor Employee Info plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. One approach is to restrict access to administrative functions requiring authentication and implement strict input validation. Web Application Firewalls (WAFs) can be configured to detect and block malicious CSRF requests. Additionally, educate administrators about the risks of clicking on untrusted links and opening suspicious emails. After upgrade, confirm by attempting to create/modify an employee record via the plugin's admin interface and verifying that the action requires proper authentication.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13990 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Mamurjor Employee Info plugin for WordPress versions 1.0.0–1.0.0, allowing attackers to forge requests to manipulate employee data.
If you are using the Mamurjor Employee Info plugin in WordPress version 1.0.0–1.0.0, you are potentially affected by this CSRF vulnerability.
Upgrade to a patched version of the Mamurjor Employee Info plugin as soon as it's available. Until then, implement workarounds like WAF rules and restrict access to administrative functions.
There is currently no indication of active exploitation campaigns targeting CVE-2025-13990.
Check the Mamurjor Employee Info plugin's official website or WordPress plugin repository for updates and security advisories related to CVE-2025-13990.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.