JobBank
CVE-2025-69189
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
WordPress plugin endpoint reachable over the network with no authentication or user interaction (AV:N/AC:L/PR:N/UI:N); missing authorization grants limited but non-zero access to plugin data and actions, so C/I/A are each Low.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in EMV JobBank allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects JobBank: from n/a through 1.2.3.
AnalysisAI
Broken access control in EMV's JobBank WordPress plugin (versions up to and including 1.2.3) allows remote unauthenticated attackers to invoke functionality that should be restricted by authorization checks. The flaw stems from incorrectly configured access control levels on plugin endpoints, enabling attackers to interact with protected operations without proper privileges. No public exploit identified at time of analysis, but the network-reachable, low-complexity nature makes opportunistic scanning likely against WordPress sites running this plugin.
Technical ContextAI
JobBank is a WordPress plugin published by EMV that provides job board functionality. The vulnerability is classified as CWE-862 (Missing Authorization), meaning one or more plugin actions - likely AJAX handlers, REST endpoints, or admin-post hooks registered by the plugin - fail to verify the caller's capability or role before executing privileged logic. In WordPress plugins this typically manifests as handlers that omit current_user_can() checks, register endpoints with permission_callback set to __return_true, or expose nopriv AJAX actions that should be authenticated. The CPE cpe:2.3:a:emv:jobbank:*:*:*:* covers all released versions through 1.2.3.
RemediationAI
No vendor-released patch identified at time of analysis; the input data lists affected versions through 1.2.3 with no fixed release noted, so administrators should monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/jobbank/vulnerability/wordpress-jobbank-plugin-1-2-3-broken-access-control-vulnerability and the WordPress.org plugin page for an updated build above 1.2.3. Until a patched version is published, compensating controls include deactivating the JobBank plugin entirely (eliminates the attack surface but removes job board functionality from the site), restricting access to /wp-admin/admin-ajax.php and the plugin's REST namespace via a WAF rule that filters on the plugin's specific action names (reduces risk but requires identifying the affected handlers from the advisory), or placing the affected endpoints behind HTTP authentication or IP allow-listing for trusted operators only (breaks anonymous front-end job applications if those rely on the same endpoints). Patchstack subscribers can enable virtual patching for this CVE as an interim measure.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today