Description
Missing Authorization vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Jobs for WordPress: from n/a through <= 2.8.
Published: 2026-03-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

A missing authorization check in the Jobs for WordPress plugin allows attackers to access administrative functionality that should be restricted. The flaw is a classic broken access control vulnerability (CWE‑862). An attacker can create, edit, or delete job postings, or view sensitive application data, without authenticating or without sufficient privileges, thereby enabling unauthorized manipulation of content and deception of job seekers.

Affected Systems

The weakness is present in the Jobs for WordPress job‑postings plugin by BlueGlass Interactive AG for all versions up to and including 2.8. Any WordPress site that has this plugin installed and has not been upgraded to a newer, patched release is affected.

Risk and Exploitability

The CVSS score is 7.5, indicating high impact. The EPSS score is below 1%, suggesting low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Likely attack vectors involve sending crafted HTTP requests to the plugin’s administrative endpoints, and the flaw can be exploited without elevated privileges or prior authentication. Consequently, an unauthenticated attacker could potentially manipulate job listings.

Generated by OpenCVE AI on March 27, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jobs for WordPress plugin to the latest released version, which includes the access‑control fix.
  • If an upgrade is not immediately possible, block or restrict HTTP access to the plugin’s administrative URLs for non‑administrator users.
  • Verify that users with non‑admin roles no longer retain access to job‑posting management by conducting an access‑control test.

Generated by OpenCVE AI on March 27, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Blueglass Interactive Ag
Blueglass Interactive Ag jobs For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Blueglass Interactive Ag
Blueglass Interactive Ag jobs For Wordpress
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Jobs for WordPress: from n/a through <= 2.8.
Title WordPress Jobs for WordPress plugin <= 2.8 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Blueglass Interactive Ag Jobs For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:45:53.163Z

Reserved: 2026-01-16T14:15:17.505Z

Link: CVE-2026-23806

cve-icon Vulnrichment

Updated: 2026-03-27T17:54:07.024Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:35.853

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-23806

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:32Z

Weaknesses