Skip to main content

Wp Job Manager EUVDEUVD-2026-20330

| CVE-2026-39660 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-9qfh-84j7-pg32
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:43 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20330
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager: from n/a through <= 2.4.1.

AnalysisAI

Missing authorization in Automattic WP Job Manager through version 2.4.1 allows unauthenticated remote attackers to modify plugin data through incorrectly configured access control, enabling unauthorized changes to job listings and related content without proper privilege validation. The vulnerability has a low real-world exploitation probability (EPSS 0.02%) despite the network-accessible attack vector, suggesting limited practical exploitability in typical WordPress deployments.

Technical ContextAI

WP Job Manager is a WordPress plugin that manages job listings and applications. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to properly validate user permissions before allowing modifications to protected resources. WordPress plugins commonly expose REST API endpoints or admin actions without sufficient capability checks, allowing any authenticated or unauthenticated user to bypass access control lists. The affected CPE cpe:2.3:a:automattic:wp_job_manager:*:*:*:*:*:*:*:* indicates all versions through 2.4.1 contain this authorization flaw.

RemediationAI

Update WP Job Manager to version 2.4.2 or later as released by Automattic. Site administrators should navigate to WordPress Dashboard > Plugins > Installed Plugins, locate WP Job Manager, and click Update. If auto-updates are not enabled, manual download from wordpress.org/plugins/wp-job-manager/ is available. Interim workaround: restrict REST API access via WordPress security plugins or .htaccess rules limiting access to wp-json/wp-job-manager endpoints if the site does not require public job posting functionality. Patchstack advisory and NVD entry provide additional context at the references listed above.

Share

EUVD-2026-20330 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy