Skip to main content

Jobica Core CVE-2026-27049

| EUVD-2026-15767 CRITICAL
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-03-25 Patchstack GHSA-f39p-p4f3-mvp5
Authentication Bypass Jobica Core
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15767
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
CRITICAL 9.8

DescriptionCVE.org

Authentication Bypass Using an Alternate Path or Channel vulnerability in NooTheme Jobica Core jobica-core allows Authentication Abuse.This issue affects Jobica Core: from n/a through <= 1.4.2.

AnalysisAI

Unauthenticated attackers can bypass authentication controls in NooTheme Jobica Core through an alternate access path, affecting versions up to 1.4.2. This critical vulnerability (CVSS 9.8) enables attackers to gain unauthorized access without credentials or user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify alternate authentication path in Jobica Core
Delivery
Bypass login mechanism without credentials
Exploit
Access admin functions
Execution
Modify user privileges or data
Impact
Execute unauthorized actions with full system access
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Remote unauthenticated attacker can exploit NooTheme Jobica Core versions through 1.4.2 via an alternate authentication path or channel. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Without published CVSS scores, EPSS percentiles, or KEV status, this vulnerability's real-world priority must be assessed through available signals: it is confirmed by a reputable security researcher (Patchstack) with a published advisory, affects a WordPress plugin with unknown but potentially significant user base, and directly enables account takeover (technical impact: confidentiality, integrity, and availability compromise). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers the alternate authentication path exposed by Jobica Core (such as a poorly secured REST endpoint or plugin-specific login handler) and crafts requests that bypass the standard WordPress authentication validation. By directly calling this alternate channel without proper credential verification, the attacker gains access to another user's account—potentially an administrator account—without knowing the correct password. …
Remediation Immediately upgrade NooTheme Jobica Core to a version after 1.4.2 (verify the latest patched version via the Patchstack advisory and the plugin's official repository). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all affected systems and apply vendor patches immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-27049 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy