WordPress WPJobBoard plugin contains multiple Cross‑Site Request Forgery vulnerabilities that allow a malicious actor to send forged HTTP requests to the plugin, causing it to carry out actions that the user did not intend. The flaw is identified as CWE‑352 and originates from the plugin’s failure to verify that requests are intended or originate from legitimate, authenticated sessions before performing state‑changing operations. By exploiting this weakness, an attacker could potentially change listings, submit comments, or perform administrative updates without the user’s knowledge.

All releases of the WPJobBoard plugin older than version 5.11.1 are affected. The plugin authors recommend updating to 5.11.1 or newer to apply the fixed token validation logic. No specific patch releases are known for earlier versions beyond 5.11.1.

The CVSS score of 4.3 classifies the vulnerability as low severity. The EPSS score is listed as < 1%, indicating that the probability of a real‑world exploit is very low. This issue is not tracked in the CISA KEV catalog. The most plausible attack path is where a user, who is already logged into the WordPress site, is tricked into clicking a malicious link that triggers a forged request. Because exploitation requires the user’s credentials and interaction, the immediate risk is modest, but the impact could be significant for sites that expose sensitive or private content via WPJobBoard.