{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25404", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:19.000Z", "datePublished": "2026-02-19T08:27:04.284Z", "dateUpdated": "2026-04-28T16:14:58.267Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-job-manager", "product": "WP Job Manager", "vendor": "Automattic", "versions": [{"changes": [{"at": "2.4.1", "status": "unaffected"}], "lessThanOrEqual": "2.4.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tristan Jay Neale | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:08.121Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Job Manager: from n/a through <= 2.4.0.</p>"}], "value": "Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager: from n/a through <= 2.4.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:58.267Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-job-manager/vulnerability/wordpress-wp-job-manager-plugin-2-4-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP Job Manager plugin <= 2.4.0 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T21:14:57.107690Z", "id": "CVE-2026-25404", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:14:50.131Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25404", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-24T21:14:57.107690Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T19:38:04.016Z"}}], "cna": {"title": "WordPress WP Job Manager plugin <= 2.4.0 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tristan Jay Neale | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Automattic", "product": "WP Job Manager", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 2.4.0"}], "packageName": "wp-job-manager", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-02-19T09:26:04.984Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-job-manager/vulnerability/wordpress-wp-job-manager-plugin-2-4-0-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager: from n/a through <= 2.4.0.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Job Manager: from n/a through <= 2.4.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-02-19T08:27:04.284Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25404", "state": "PUBLISHED", "dateUpdated": "2026-02-24T21:15:08.824Z", "dateReserved": "2026-02-02T12:53:19.000Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:27:04.284Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager: from n/a through <= 2.4.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Automattic WP Job Manager wp-job-manager permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WP Job Manager: desde n/a hasta &lt;= 2.4.0."}], "id": "CVE-2026-25404", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:22.207", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-job-manager/vulnerability/wordpress-wp-job-manager-plugin-2-4-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.4.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WP Job Manager", "source": "cna", "vendor": "Automattic"}, "product": "wp_job_manager", "vendor": "automattic"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:17:52.159911+00:00", "value": {"mitigation_remediation": ["Update WP Job Manager plugin to version 2.4.1 or later to apply the vendor fix.", "Review and tighten role permissions for the plugin, ensuring only appropriate user roles can add, edit, or delete job listings.", "If an immediate update is not possible, restrict access to the plugin\u2019s administration pages by IP or user role to mitigate misuse."], "summary": {"action": "Apply patch", "impact": "Unauthorized access to job listings and management functions"}, "threat_synthesis": {"affected_systems": "The issue affects all installations of Automattic WP Job Manager plugin up to and including version 2.4.0. Users running any earlier releases or unreleased versions are also covered by the fix statement in the vendor\u2019s advisory.", "description_and_impact": "A missing authorization check in the WordPress WP Job Manager plugin allows an attacker to modify, delete, or create job listings beyond the intended permissions. The flaw falls under CWE\u2011862, leading to unauthorized access and potential manipulation of employment data, which can compromise the integrity of the job board and expose sensitive applicant information. This vulnerability can be used to tamper with listings, deface the board, or spam postings.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium impact, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at this time. The vulnerability is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector is via the website\u2019s authenticated user interface where role-based checks are bypassed; an attacker with legitimate credentials can exploit the flaw unless roles are properly limited."}}}}, "created": "2026-02-20T10:08:28.228273+00:00", "updated": "2026-04-16T00:30:18.853254+00:00", "vendors": ["automattic", "automattic$PRODUCT$wp_job_manager", "wordpress", "wordpress$PRODUCT$wordpress"]}