This vulnerability arises from insufficient verification of state‑changing requests within the Custom Field For WP Job Manager plugin. When an attacker tricks an authenticated administrator into visiting a crafted URL or form, the site may perform actions such as modifying plugin options, creating or deleting job postings, or otherwise altering data controlled by the plugin, without the administrator’s knowledge. The weakness is identified as CWE‑352 and results in a breach of integrity rather than confidentiality or availability.

WordPress installations that have the theme funda Custom Field For WP Job Manager plugin installed in version 1.4 or earlier are affected. Only sites where the plugin is enabled and an authenticated user visits a malicious crafted request are at risk.

The CVSS score of 4.3 shows moderate severity, while the EPSS score of less than 1% indicates a very low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with sufficient privileges, likely an administrator, who is tricked into performing a state‑changing action through a cross‑site request. Given the low EPSS, the immediate threat level is low, but the integrity impact warrants monitoring and mitigation.