CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-9237

mediumCVSS 4.3covered by 1 sourcefirst seen 2026-07-09
The Employee, Leave and Recruitment Management System – Crew HRM plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete, archive, unarchive, and duplicate arbitrary job listings — along with their associated stages, meta, addresses, and applications — by supplying an arbitrary integer job_id. The nonce verified by Dispatcher::dispatch() is exposed to all authenticated front-end visitors via wp_head script localization, meaning subscribers can trivially obtain it and satisfy the nonce check without possessing any elevated privilege.

⚡ Watch CVE-2026-9237

Get an email if CVE-2026-9237 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-9237

CVE.org record

Embed the live status

CVE-2026-9237 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-9237 status](https://www.csirts.com/badge/CVE-2026-9237)](https://www.csirts.com/cve/CVE-2026-9237)