Skip to main content

JobBank CVE-2025-69189

HIGH
Missing Authorization (CWE-862)
2026-06-17 Patchstack
7.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
7.3 HIGH

WordPress plugin endpoint reachable over the network with no authentication or user interaction (AV:N/AC:L/PR:N/UI:N); missing authorization grants limited but non-zero access to plugin data and actions, so C/I/A are each Low.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 14:38 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in EMV JobBank allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects JobBank: from n/a through 1.2.3.

AnalysisAI

Broken access control in EMV's JobBank WordPress plugin (versions up to and including 1.2.3) allows remote unauthenticated attackers to invoke functionality that should be restricted by authorization checks. The flaw stems from incorrectly configured access control levels on plugin endpoints, enabling attackers to interact with protected operations without proper privileges. No public exploit identified at time of analysis, but the network-reachable, low-complexity nature makes opportunistic scanning likely against WordPress sites running this plugin.

Technical ContextAI

JobBank is a WordPress plugin published by EMV that provides job board functionality. The vulnerability is classified as CWE-862 (Missing Authorization), meaning one or more plugin actions - likely AJAX handlers, REST endpoints, or admin-post hooks registered by the plugin - fail to verify the caller's capability or role before executing privileged logic. In WordPress plugins this typically manifests as handlers that omit current_user_can() checks, register endpoints with permission_callback set to __return_true, or expose nopriv AJAX actions that should be authenticated. The CPE cpe:2.3:a:emv:jobbank:*:*:*:* covers all released versions through 1.2.3.

RemediationAI

No vendor-released patch identified at time of analysis; the input data lists affected versions through 1.2.3 with no fixed release noted, so administrators should monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/jobbank/vulnerability/wordpress-jobbank-plugin-1-2-3-broken-access-control-vulnerability and the WordPress.org plugin page for an updated build above 1.2.3. Until a patched version is published, compensating controls include deactivating the JobBank plugin entirely (eliminates the attack surface but removes job board functionality from the site), restricting access to /wp-admin/admin-ajax.php and the plugin's REST namespace via a WAF rule that filters on the plugin's specific action names (reduces risk but requires identifying the affected handlers from the advisory), or placing the affected endpoints behind HTTP authentication or IP allow-listing for trusted operators only (breaks anonymous front-end job applications if those rely on the same endpoints). Patchstack subscribers can enable virtual patching for this CVE as an interim measure.

Share

CVE-2025-69189 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy