Scan free
MEDIUMCVE-2025-13990CVSS 4.3

CVE-2025-13990: CSRF in Mamurjor Employee Info WordPress Plugin

Platform

wordpress

Component

mamurjor-employee-info

Fixed in

1.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-13990 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Mamurjor Employee Info plugin for WordPress. This flaw allows unauthenticated attackers to manipulate sensitive employee data, including records, departments, and salary information. The vulnerability impacts versions 1.0.0 through 1.0.0 of the plugin, and a fix is expected from the vendor.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The CSRF vulnerability in Mamurjor Employee Info allows an attacker to execute unauthorized actions on a WordPress site if a site administrator is tricked into clicking a malicious link. Specifically, an attacker could create, update, or delete employee records, departments, designations, salary grades, education records, and salary payments. This could lead to data breaches, unauthorized modifications to payroll systems, and potential financial fraud. The impact is amplified if the WordPress site manages sensitive employee data, as the attacker could gain control over critical information and potentially impersonate administrators.

Exploitation Context

CVE-2025-13990 was publicly disclosed on 2026-01-07. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability has not been added to the CISA KEV catalog at the time of writing.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.02% (6% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N4.3MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentmamurjor-employee-info
Vendorwordfence
Affected rangeFixed in
0 – 1.0.01.0.1

Weakness Classification (CWE)

CWE-352

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 137 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2025-13990 is to upgrade to a patched version of the Mamurjor Employee Info plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. One approach is to restrict access to administrative functions requiring authentication and implement strict input validation. Web Application Firewalls (WAFs) can be configured to detect and block malicious CSRF requests. Additionally, educate administrators about the risks of clicking on untrusted links and opening suspicious emails. After upgrade, confirm by attempting to create/modify an employee record via the plugin's admin interface and verifying that the action requires proper authentication.

How to fix

No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-13990 — CSRF in Mamurjor Employee Info WordPress Plugin?

CVE-2025-13990 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Mamurjor Employee Info plugin for WordPress versions 1.0.0–1.0.0, allowing attackers to forge requests to manipulate employee data.

Am I affected by CVE-2025-13990 in Mamurjor Employee Info WordPress Plugin?

If you are using the Mamurjor Employee Info plugin in WordPress version 1.0.0–1.0.0, you are potentially affected by this CSRF vulnerability.

How do I fix CVE-2025-13990 in Mamurjor Employee Info WordPress Plugin?

Upgrade to a patched version of the Mamurjor Employee Info plugin as soon as it's available. Until then, implement workarounds like WAF rules and restrict access to administrative functions.

Is CVE-2025-13990 being actively exploited?

There is currently no indication of active exploitation campaigns targeting CVE-2025-13990.

Where can I find the official Mamurjor Employee Info advisory for CVE-2025-13990?

Check the Mamurjor Employee Info plugin's official website or WordPress plugin repository for updates and security advisories related to CVE-2025-13990.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs