Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-accessible with no authentication required (PR:N, AV:N); integrity-only impact (I:L) as the bypass enables unauthorized data modification without confidentiality exposure or availability impact.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in WP Reloaded ApplyOnline allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects ApplyOnline: from n/a through 2.6.7.6.
AnalysisAI
Missing authorization controls in the ApplyOnline WordPress plugin (versions through 2.6.7.6) by WP Reloaded allow unauthenticated remote attackers to perform unauthorized write-level actions by exploiting incorrectly configured access control security levels. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication and no user interaction against any network-accessible WordPress installation running this plugin. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required for exploitation beyond the plugin being installed and active on a publicly accessible WordPress site running version 2.6.7.6 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 5.3 Medium score is consistent with the available signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies a WordPress site running ApplyOnline ≤ 2.6.7.6 and sends crafted HTTP requests directly to the plugin's unprotected AJAX or REST API endpoints, bypassing the absent authorization check. The attacker can then perform write-level operations - such as modifying, injecting, or deleting job application records - without holding any WordPress account. … |
| Remediation | The primary remediation is to update the ApplyOnline plugin beyond version 2.6.7.6. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41092
GHSA-wj2r-v957-gq8q