Description
Authorization Bypass Through User-Controlled Key vulnerability in themeglow JobBoard Job listing job-board-light allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JobBoard Job listing: from n/a through <= 1.2.8.
Published: 2025-04-01
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Insecure Direct Object Reference that allows an attacker to bypass the intended authorization controls by providing a user‑controlled key in API requests. This permits reading and potentially modifying job listings or details that the user should not have access to, leading to data exposure and corruption.

Affected Systems

The issue affects the JobBoard Job listing WordPress plugin from themeglow, for all releases through version 1.2.8, inclusive. No specific sub‑versions are listed but any installation running 1.2.8 or earlier is vulnerable.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate risk, and the EPSS score of <1% reflects a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attack vectors are most likely through crafted HTTP requests to the plugin’s endpoints, using a manipulated identifier to target unprivileged data. Because the issue stems from incorrectly configured access‑control levels, many authenticated users could unintentionally gain unauthorized access if they manipulate the key.

Generated by OpenCVE AI on May 1, 2026 at 01:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the JobBoard Job listing plugin to a version newer than 1.2.8 or apply the vendor’s official patch if available.
  • Ensure that only authorized user roles can request job‑listing data, removing public access to any endpoints that expose job information.
  • Monitor web server logs for anomalous requests that include manipulated identifiers and enforce rate limiting or blocking as needed.

Generated by OpenCVE AI on May 1, 2026 at 01:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9198 Authorization Bypass Through User-Controlled Key vulnerability in themeglow JobBoard Job listing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobBoard Job listing: from n/a through 1.2.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in themeglow JobBoard Job listing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobBoard Job listing: from n/a through 1.2.7. Authorization Bypass Through User-Controlled Key vulnerability in themeglow JobBoard Job listing job-board-light allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JobBoard Job listing: from n/a through <= 1.2.8.
Title WordPress JobBoard Job listing plugin Plugin <= 1.2.7 - Insecure Direct Object References (IDOR) vulnerability WordPress JobBoard Job listing plugin Plugin <= 1.2.8 - Insecure Direct Object References (IDOR) vulnerability
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N'}

Tue, 01 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in themeglow JobBoard Job listing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobBoard Job listing: from n/a through 1.2.7.
Title WordPress JobBoard Job listing plugin Plugin <= 1.2.7 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:13.986Z

Reserved: 2025-04-01T13:20:41.853Z

Link: CVE-2025-31833

cve-icon Vulnrichment

Updated: 2025-04-01T19:02:43.615Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:23.643

Modified: 2026-04-23T15:28:22.923

Link: CVE-2025-31833

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T02:00:06Z

Weaknesses