Description
Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager: from n/a through <= 2.4.0.
Published: 2026-02-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to job listings and management functions
Action: Apply patch
AI Analysis

Impact

A missing authorization check in the WordPress WP Job Manager plugin allows an attacker to modify, delete, or create job listings beyond the intended permissions. The flaw falls under CWE‑862, leading to unauthorized access and potential manipulation of employment data, which can compromise the integrity of the job board and expose sensitive applicant information. This vulnerability can be used to tamper with listings, deface the board, or spam postings.

Affected Systems

The issue affects all installations of Automattic WP Job Manager plugin up to and including version 2.4.0. Users running any earlier releases or unreleased versions are also covered by the fix statement in the vendor’s advisory.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium impact, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at this time. The vulnerability is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector is via the website’s authenticated user interface where role-based checks are bypassed; an attacker with legitimate credentials can exploit the flaw unless roles are properly limited.

Generated by OpenCVE AI on April 16, 2026 at 00:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Job Manager plugin to version 2.4.1 or later to apply the vendor fix.
  • Review and tighten role permissions for the plugin, ensuring only appropriate user roles can add, edit, or delete job listings.
  • If an immediate update is not possible, restrict access to the plugin’s administration pages by IP or user role to mitigate misuse.

Generated by OpenCVE AI on April 16, 2026 at 00:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Automattic
Automattic wp Job Manager
Wordpress
Wordpress wordpress
Vendors & Products Automattic
Automattic wp Job Manager
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager: from n/a through <= 2.4.0.
Title WordPress WP Job Manager plugin <= 2.4.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Automattic Wp Job Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:55.091Z

Reserved: 2026-02-02T12:53:19.000Z

Link: CVE-2026-25404

cve-icon Vulnrichment

Updated: 2026-02-19T19:38:04.016Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:22.207

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25404

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:30:18Z

Weaknesses