CVE-2023-45765 - Exploiting Missing Authorization in weDevs WP ERP Access Control (Versions up to 1.12.6)

In late 2023, a serious vulnerability (CVE-2023-45765) was discovered in the popular WP ERP plugin by weDevs. This plugin is widely used for managing HR, CRM, and Accounting on WordPress sites. The flaw comes from *missing authorization checks* on sensitive actions within the plugin, and incorrect configuration of access controls. This opens the door for unauthorized users to perform restricted operations—significantly increasing the risk to your site's user data and business logic.

Affected Versions: All versions up to and including 1.12.6

What’s the Vulnerability?

The vulnerability boils down to the lack of proper user authentication and capability checks before allowing access to privileged ERP functions and data endpoints.

That means, under certain circumstances, a non-privileged user (or even an unauthenticated visitor) can trick the system into running admin-level operations. This can include modifying employee data, exporting CSVs, or leaking sensitive information.

Suppose WP ERP exposes a custom AJAX endpoint like this

// File: includes/ajax/class-ajax.php

add_action( 'wp_ajax_erp_hr_get_employees', 'erp_hr_get_employees' );
function erp_hr_get_employees() {
    // -- MISSING: Checking user role/capability here --
    $employees = erp_hr_get_employee_list_from_db();
    wp_send_json_success( $employees );
}

Notice: There is no check for user authentication or capability. Anyone who can fire this AJAX call can get sensitive employee info.

An attacker just needs to send an AJAX request like

POST /wp-admin/admin-ajax.php?action=erp_hr_get_employees HTTP/1.1
Host: victimsite.com

The response would include the employees database as a JSON object—even if the user wasn't logged in or a regular site visitor.

Exploiting Incorrect Security Levels

In some cases, the plugin would check is_user_logged_in() but not confirm if the user is an admin or HR manager. A basic WooCommerce customer or even a subscriber could still call endpoints meant for HR managers only.

Visit (or cURL) a suspected WP ERP AJAX endpoint:

https://yourdomain.com/wp-admin/admin-ajax.php?action=erp_hr_get_employees

The patch (in v1.12.7+) tightens access controls

function erp_hr_get_employees() {
    if ( ! current_user_can( 'erp_hr_manager' ) ) {
        wp_send_json_error( 'Unauthorized', 403 );
    }
    $employees = erp_hr_get_employee_list_from_db();
    wp_send_json_success( $employees );
}

Best Practice:
Always check current_user_can( 'required_capability' ) in YOUR plugin or theme code, before handling sensitive data or operations!

References & Further Reading

- CVE-2023-45765 at NVD
- Wordfence Vulnerability Advisory
- weDevs WP ERP Plugin Download
- WP ERP changelog/fix

Ask your developers: Are ALL data-modifying Ajax or REST endpoints properly restricted?

This issue underlines why *authorization* matters, not just *authentication*, in keeping your WordPress site secure. Don’t risk your business—patch soon!


> Tip: If you need code review for your custom plugins, always look for missing calls to current_user_can() or similar permission functions!
> Stay safe out there! 🚨

Timeline

Published on: 01/02/2025 12:15:09 UTC