{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39660", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:53.260Z", "datePublished": "2026-04-08T08:30:37.120Z", "dateUpdated": "2026-04-08T08:30:37.120Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-job-manager", "product": "WP Job Manager", "vendor": "Automattic", "versions": [{"lessThanOrEqual": "2.4.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:38.734Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Job Manager: from n/a through <= 2.4.1.</p>"}], "value": "Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager: from n/a through <= 2.4.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:37.120Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-job-manager/vulnerability/wordpress-wp-job-manager-plugin-2-4-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP Job Manager plugin <= 2.4.1 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager: from n/a through <= 2.4.1."}], "id": "CVE-2026-39660", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:37.227", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-job-manager/vulnerability/wordpress-wp-job-manager-plugin-2-4-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.4.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WP Job Manager", "source": "cna", "vendor": "Automattic"}, "product": "wp_job_manager", "vendor": "automattic"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:03:36.255829+00:00", "value": {"mitigation_remediation": ["Update WP Job Manager to a version newer than 2.4.1", "Verify that role\u2011based access controls are correctly configured", "Audit user permissions on the WordPress site", "Remove the plugin if it is no longer needed", "Monitor site logs for suspicious activity"], "summary": {"action": "Patch Now", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The flaw affects the WordPress plugin WP Job Manager from Automattic, versions up through 2.4.1. Any site running the plugin in these versions is potentially impacted.", "description_and_impact": "The bug is a missing authorization check that allows an attacker to access actions or data that should be protected. The vulnerability is due to incorrect configuration of access control security levels within the WP Job Manager plugin. By bypassing these controls, an adversary can obtain information or functionality that is normally restricted to certain user roles.", "risk_and_exploitability": "The exploit is likely to occur over the web interface of a WordPress site, where an attacker may leverage valid credentials or exploit the plugin\u2019s API endpoints. No CVSS score or EPSS probability is available, and the vulnerability is not listed in the CISA KEV catalog. Given the need for authenticated interaction with the plugin, the risk is moderate, but sites should consider the potential for both data disclosure and unauthorized function execution."}}}}, "created": "2026-04-08T19:28:12.909597+00:00", "updated": "2026-04-08T19:41:15.837860+00:00", "vendors": ["automattic", "automattic$PRODUCT$wp_job_manager", "wordpress", "wordpress$PRODUCT$wordpress"]}