Platform
wordpress
Component
wp-hrm-lite-human-resource-management-system
Opgelost in
1.1.1
CVE-2025-46455 describes a SQL Injection vulnerability discovered in WP HRM LITE, a WordPress plugin for human resource management. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 up to and including 1.1, and a patch is available in version 1.1.1.
Successful exploitation of this SQL Injection vulnerability could grant an attacker complete control over the WordPress database. This includes the ability to read, modify, or delete sensitive data such as user credentials, employee records, and financial information. An attacker could also leverage this access to escalate privileges, gain remote code execution on the server, or launch further attacks against other systems within the network. The potential blast radius is significant, particularly for organizations relying on WP HRM LITE to manage critical HR data.
CVE-2025-46455 has been publicly disclosed and is considered a high-priority vulnerability due to its critical severity and the potential for widespread exploitation. While no active campaigns have been publicly reported at the time of writing, the availability of SQL Injection vulnerabilities often leads to opportunistic attacks. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of exploitation.
Organizations utilizing WP HRM LITE for human resource management, particularly those running older, unpatched versions (0.0.0–1.1), are at significant risk. Shared hosting environments where multiple websites share the same database are also particularly vulnerable, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r "indigoThemes/wp-hrm-lite" /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep wp-hrm-lite• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-content/plugins/wp-hrm-lite/ | grep -i 'version: 1.1' # Check for vulnerable versionsdisclosure
Exploit Status
EPSS
0.23% (46% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-46455 is to immediately upgrade WP HRM LITE to version 1.1.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the vulnerable endpoints using a Web Application Firewall (WAF) or proxy server. Configure the WAF to block any SQL injection attempts targeting the affected parameters. Regularly monitor database logs for suspicious activity and implement strong password policies to limit the impact of a potential breach. After upgrading, confirm the vulnerability is resolved by attempting a SQL injection payload on the affected endpoint and verifying that it is properly sanitized.
Actualice el plugin WP HRM LITE a una versión corregida. Verifique el sitio web del plugin o el repositorio de WordPress para obtener la última versión disponible. Como vulnerabilidad SQL Injection, se recomienda realizar una auditoría de seguridad del código del plugin para prevenir futuras vulnerabilidades.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-46455 is a critical SQL Injection vulnerability affecting WP HRM LITE versions 0.0.0–1.1, allowing attackers to inject malicious SQL code and potentially access sensitive data.
You are affected if you are using WP HRM LITE versions 0.0.0 through 1.1. Check your plugin version and upgrade immediately if vulnerable.
Upgrade WP HRM LITE to version 1.1.1 or later to patch the SQL Injection vulnerability. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
While no active campaigns have been publicly reported, the vulnerability's critical severity makes it a likely target for exploitation. Monitor your systems closely.
Refer to the IndigoThemes website and WordPress plugin repository for the official advisory and update information regarding CVE-2025-46455.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.