Description
Authorization Bypass Through User-Controlled Key vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Portal: from n/a through <= 2.4.3.
Published: 2026-01-22
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Patch Now
AI Analysis

Impact

This vulnerability is an Insecure Direct Object Reference in the WP Job Portal plugin that allows an attacker to bypass authorization checks using a user‑controlled key. It is an Authorization Bypass Through User‑Controlled Key vulnerability that exploits incorrectly configured access‑control security levels and corresponds to CWE‑639. The flaw permits the exploitation of incorrect access‑control configurations, enabling the discovery, read, or modification of job postings and related data without proper permissions. The impact is a loss of data confidentiality and integrity for all users, potentially affecting the entire site if administrative data can be accessed.

Affected Systems

The WP Job Portal plugin for WordPress, version 2.4.3 or earlier, is affected. No specific sub‑versions are listed beyond the maximum of 2.4.3, so any installation of the plugin using that or older releases is vulnerable.

Risk and Exploitability

The CVSS score of 9.1 indicates a high‑severity risk. The EPSS score is less than 1% at the time of analysis, suggesting that active exploitation is currently rare, and the vulnerability is not listed in the KEV catalog. Based on the description, it is inferred that the attacker could trigger the vulnerability remotely via crafted HTTP requests to the plugin’s endpoints, without needing elevated privileges. This could allow data disclosure or modification, posing a significant threat even if exploitation attempts are infrequent.

Generated by OpenCVE AI on April 18, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest available WP Job Portal plugin update that is newer than 2.4.3, if one has been released.
  • Ensure that only users with the appropriate capabilities can view or edit job listings by configuring role‑based permissions in the plugin’s settings.
  • Review custom code or integrations that expose object identifiers and add validation or sanitization to enforce proper access controls.

Generated by OpenCVE AI on April 18, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpjobportal
Wpjobportal wp Job Portal
Vendors & Products Wordpress
Wordpress wordpress
Wpjobportal
Wpjobportal wp Job Portal

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Portal: from n/a through <= 2.4.3.
Title WordPress WP Job Portal plugin <= 2.4.3 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References

Subscriptions

Wordpress Wordpress
Wpjobportal Wp Job Portal
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:09.921Z

Reserved: 2026-01-22T14:42:40.516Z

Link: CVE-2026-24379

cve-icon Vulnrichment

Updated: 2026-01-23T16:47:22.756Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:40.790

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24379

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:30:03Z

Weaknesses