{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39660", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "REJECTED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:53.260Z", "datePublished": "2026-04-08T08:30:37.120Z", "dateUpdated": "2026-04-29T13:50:48.817Z", "dateRejected": "2026-04-29T13:50:48.817Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T13:50:48.817Z"}, "rejectedReasons": [{"lang": "en", "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}]}], "x_generator": {"engine": "Vulnogram 1.0.2"}}}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39660", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "REJECTED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:53.260Z", "datePublished": "2026-04-08T08:30:37.120Z", "dateUpdated": "2026-04-29T13:50:48.817Z", "dateRejected": "2026-04-29T13:50:48.817Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T13:50:48.817Z"}, "rejectedReasons": [{"lang": "en", "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}]}], "x_generator": {"engine": "Vulnogram 1.0.2"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}], "id": "CVE-2026-39660", "lastModified": "2026-04-29T15:16:05.867", "metrics": {}, "published": "2026-04-08T09:16:37.227", "references": [], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Rejected"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.4.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WP Job Manager", "source": "cna", "vendor": "Automattic"}, "product": "wp_job_manager", "vendor": "automattic"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-13T21:48:21.321541+00:00", "value": {"mitigation_remediation": ["Update WP Job Manager plugin to version 2.4.2 or later", "Verify that role and capability restrictions are correctly configured in the plugin settings", "If an immediate update is not possible, restrict external access to the plugin\u2019s administrative endpoints using a web\u2011application firewall or IP whitelisting"], "summary": {"action": "Patch ASAP", "impact": "Unauthorized access to privileged functions in WordPress WP Job Manager"}, "threat_synthesis": {"affected_systems": "All installations of the Automattic WP Job Manager WordPress plugin from the earliest release through version 2.4.1 are affected.", "description_and_impact": "Missing authorization control in the WP Job Manager plugin allows a user without proper credentials to access and manipulate job listings and administrative features that should be protected, affecting the confidentiality, integrity, and availability of the website's job posting data.", "risk_and_exploitability": "The CVSS v3.1 score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild; the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can exploit the flaw via web requests to the plugin's management endpoints, potentially from remote locations, assuming access to the WordPress site or an authenticated session with limited privileges."}}}}, "created": "2026-04-08T19:28:12.909597+00:00", "updated": "2026-04-14T16:38:46.956903+00:00", "vendors": ["automattic", "automattic$PRODUCT$wp_job_manager", "wordpress", "wordpress$PRODUCT$wordpress"]}