PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15349 wedevs CVE debrief

The ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce plugin for WordPress has an authorization bypass vulnerability in all versions up to, and including, 1.17.6. Authenticated attackers with subscriber-level access and above can create arbitrary company locations in the ERP database. This vulnerability has a CVSS score of 4.3 and a severity of MEDIUM. The vulnerability was reported by [email protected] and is tracked in various source references.

Vendor
wedevs
Product
ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of the ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce plugin for WordPress, especially those with subscriber-level access and above, should be aware of this vulnerability and take necessary actions to protect their sites.

Technical summary

The ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to improper verification of user authorization. This allows authenticated attackers with subscriber-level access and above to create arbitrary company locations in the ERP database. The vulnerability has a CVSS score of 4.3 and a severity of MEDIUM. Affected product deployments should be reviewed for exposure, and owners assigned for follow-up. Compensating controls should be considered for exposed systems while remediation is scheduled and verified. Relevant monitoring, detection, and logs should be checked for exposed assets that need extra review.

Defensive priority

Medium priority due to the CVSS score of 4.3 and the potential impact of creating arbitrary company locations.

Recommended defensive actions

  • Update the ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce plugin to the latest version.
  • Restrict access to sensitive areas of the ERP database.
  • Monitor for suspicious activity related to company location creation.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The vulnerability was reported by [email protected] and is tracked in various source references. The ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce plugin for WordPress has an authorization bypass vulnerability due to improper verification of user authorization. This allows authenticated attackers with subscriber-level access and above to create arbitrary company locations in the ERP database. The vulnerability has a CVSS score of 4.3 and a severity of MEDIUM. The CVE record was published on 2026-07-17T05:16:38.197Z and has not been modified since then.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T05:16:38.197Z and has not been modified since then.