{"id":"CVE-2020-36735","details":"The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.3. This is due to missing or incorrect nonce validation on the handle_leave_calendar_filter, add_enable_disable_option_save, leave_policies, process_bulk_action, and process_crm_contact functions. This makes it possible for unauthenticated attackers to modify the plugins settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","modified":"2026-04-12T00:01:06.292234Z","published":"2023-07-01T03:15:15.960Z","references":[{"type":"FIX","url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2368462%40erp&new=2368462%40erp&sfp_email=&sfph_mail="},{"type":"FIX","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/01b90498-0ddb-4eb3-b76d-de30ed03d7d0?source=cve"},{"type":"ARTICLE","url":"https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/"},{"type":"ARTICLE","url":"https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/"},{"type":"ARTICLE","url":"https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/"},{"type":"ARTICLE","url":"https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/"},{"type":"ARTICLE","url":"https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/"},{"type":"ARTICLE","url":"https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/"},{"type":"ARTICLE","url":"https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wp-erp/wp-erp","events":[{"introduced":"0"},{"last_affected":"fa3214d5974170d2a9fb78ae3005eb51f6d58d83"}],"database_specific":{"cpe":"cpe:2.3:a:wedevs:wp_erp:*:*:*:*:*:wordpress:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"1.6.3"}]}}],"versions":["v1.5.10","v1.5.11","v1.5.12","v1.5.13","v1.5.14","v1.5.15","v1.5.16","v1.5.2","v1.5.3","v1.5.4","v1.5.5","v1.5.6","v1.5.7","v1.5.8","v1.5.9","v1.6.0","v1.6.1","v1.6.2","v1.6.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-36735.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}]}