CVE-2026-39660 - Vulnerability Details

Description

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Published: 2026-04-08

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Missing authorization control in the WP Job Manager plugin allows a user without proper credentials to access and manipulate job listings and administrative features that should be protected, affecting the confidentiality, integrity, and availability of the website's job posting data.

Affected Systems

All installations of the Automattic WP Job Manager WordPress plugin from the earliest release through version 2.4.1 are affected.

Risk and Exploitability

The CVSS v3.1 score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild; the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can exploit the flaw via web requests to the plugin's management endpoints, potentially from remote locations, assuming access to the WordPress site or an authenticated session with limited privileges.

No data.

Vendor Product Confidence Versions

Automattic

Wp Job Manager

100%

Version	Status	Scheme	Platform
`[0,2.4.1]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update WP Job Manager plugin to version 2.4.2 or later
Verify that role and capability restrictions are correctly configured in the plugin settings
If an immediate update is not possible, restrict external access to the plugin’s administrative endpoints using a web‑application firewall or IP whitelisting

Generated by OpenCVE AI on April 13, 2026 at 21:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Key SSVC decision points have not yet been added.

References

No reference.

History

Wed, 29 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-862
References	https://patchstack.com/database/Wordpress/Plugin/wp-job-manager/vulnerability/wordpress-wp-job-manager-plugin-2-4-1-broken-access-control-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Wed, 29 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Title	WordPress WP Job Manager plugin <= 2.4.1 - Broken Access Control vulnerability
Metrics	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Wed, 29 Apr 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description	Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager: from n/a through <= 2.4.1.	This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Metrics	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Wed, 29 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Mon, 13 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 08 Apr 2026 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Automattic Automattic wp Job Manager Wordpress Wordpress wordpress
Vendors & Products		Automattic Automattic wp Job Manager Wordpress Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type	Values Removed	Values Added
Description		Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager: from n/a through <= 2.4.1.
Title		WordPress WP Job Manager plugin <= 2.4.1 - Broken Access Control vulnerability
Weaknesses		CWE-862
References		https://patchstack.com/database/Wordpress/Plugin/wp-job-manager/vulnerability/wordpress-wp-job-manager-plugin-2-4-1-broken-access-control-vulnerability?_s_id=cve

Subscriptions

Automattic Wp Job Manager

Wordpress Wordpress

MITRE

Status: REJECTED

Assigner: Patchstack

Published: 2026-04-08T08:30:37.120Z

Updated: 2026-04-29T13:50:48.817Z

Reserved: 2026-04-07T10:57:53.260Z

Link: CVE-2026-39660

Vulnrichment

Updated:

NVD

Status : Rejected

Published: 2026-04-08T09:16:37.227

Modified: 2026-04-29T15:16:05.867

Link: CVE-2026-39660

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-14T16:38:46Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object