CVE-2026-15349
The ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all version
CVSS
4.3
Medium
EPSS
—
KEV
—
Exploit Today
—
0-100
Published: Jul 17, 2026 · Last modified: Jul 17, 2026 · CWE-862
Not enough EPSS history yet.
The ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.17.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary company locations in the ERP database.
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/erp/tags/1.17.5/includes/Admin/AdminPage.php#L23
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/erp/tags/1.17.5/includes/Admin/Ajax.php#L23
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/erp/tags/1.17.5/includes/Admin/Ajax.php#L516
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/erp/tags/1.17.5/includes/Admin/views/address.php#L72
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/erp/tags/1.17.6/includes/Admin/AdminPage.php#L23
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/erp/tags/1.17.6/includes/Admin/Ajax.php#L23
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/erp/tags/1.17.6/includes/Admin/Ajax.php#L516
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/erp/tags/1.17.6/includes/Admin/views/address.php#L72
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/changeset?reponame=&old=3609754%40erp&new=3609754%40erp
- www.wordfence.comhttps://www.wordfence.com/threat-intel/vulnerabilities/id/0c943b6b-9b54-4569-a027-11571f152b6c?source=cve
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-277718.2 HIG98.5%
——30Gitea versions up to and including 1.26.1 have insufficient permission checks for Composer package source links, which can expose private or internal package source information.10dCVE-2023-361447.5 HIG98.3%
——30An authentication bypass in Intelbras Switch SG 2404 MR in firmware 1.00.54 allows an unauthenticated attacker to download the backup file of the device, exposing critical information about the device configuration.8dCVE-2021-445958.8 HIG97.3%
——29Wondershare Dr. Fone Latest version as of 2021-12-06 is vulnerable to Incorrect Access Control. A normal user can send manually crafted packets to the ElevationService.exe and execute arbitrary code without any validation with SYSTEM privileges.8dCVE-2020-253669.1 CRI82.0%
——25An issue in the component /cgi-bin/upload_firmware.cgi of D-Link DIR-823G REVA1 1.02B05 allows attackers to cause a denial of service (DoS) via unspecified vectors.8dCVE-2020-220076.8 MED80.9%
——24OS Command Injection vulnerability in OKER G955V1 v1.03.02.20161128, allows physical attackers to interrupt the boot sequence and execute arbitrary commands with root privileges.12dCVE-2026-405028.8 HIG74.5%
——22OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remote-safe commands in the gateway handler. Attackers can execute administrative commands such as /permissions full_auto through remote chat sessions to change permission modes of a running OpenHarness instance without operator authorization.2d