This vulnerability is a Cross‑Site Request Forgery flaw that exists in the Job Board Manager plugin from PickPlugins. When the plugin is installed at a version equal to or preceding 2.1.59, an authenticated user can be tricked into executing an action that the attacker has specified through a maliciously crafted request. The flaw permits the attacker to perform any operation that the user is authorized to carry out within the plugin, such as deleting or modifying job listings, without the user’s knowledge. The weakness is classified as CWE‑352 and is limited to the plugin’s functionality.

All instances of the Job Board Manager plugin whose version number is <= 2.1.59 are affected. The affected component is the PickPlugins Job Board Manager plugin. The vulnerability appears in all builds from the earliest available version up to and including 2.1.59. Systems that run WordPress with this plugin installed on any version in that range are vulnerable.

The vulnerability carries a CVSS score of 5.4, indicating moderate severity. The EPSS score of less than 1% shows that exploitation is unlikely at this time, and the vulnerability is not listed in the CISA KEV catalog. Attackers could exploit the flaw through a crafted HTTP request, most likely by directing a user who is logged into WordPress to a malicious URL. Because the vulnerability requires an authenticated session and the ability to issue a request, it is considered moderate risk but unlikely to be widely used in the immediate future.