{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23806", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-16T14:15:17.505Z", "datePublished": "2026-03-25T16:14:29.327Z", "dateUpdated": "2026-03-25T16:14:29.327Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "job-postings", "product": "Jobs for WordPress", "vendor": "BlueGlass Interactive AG", "versions": [{"changes": [{"at": "2.8.1", "status": "unaffected"}], "lessThanOrEqual": "<= 2.8", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Krissaphat Jankaew | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:10.985Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Jobs for WordPress: from n/a through <= 2.8.</p>"}], "value": "Missing Authorization vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Jobs for WordPress: from n/a through <= 2.8."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:29.327Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/job-postings/vulnerability/wordpress-jobs-for-wordpress-plugin-2-8-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Jobs for WordPress plugin <= 2.8 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Jobs for WordPress: from n/a through <= 2.8."}], "id": "CVE-2026-23806", "lastModified": "2026-03-25T17:16:35.853", "metrics": {}, "published": "2026-03-25T17:16:35.853", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/job-postings/vulnerability/wordpress-jobs-for-wordpress-plugin-2-8-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:05:49.433145+00:00", "value": {"mitigation_remediation": ["Upgrade the Jobs for WordPress plugin to a version newer than\u202f2.8", "Verify that access control settings are configured correctly so that only authorized roles can perform privileged actions", "Disable or remove the plugin if it is not required for site functionality", "Review site logs for any unauthorized job posting activity", "Monitor the site for signs of privilege escalation or unauthorized content changes"], "summary": {"action": "Patch Now", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "Jobs for WordPress, the plugin supplied by BlueGlass Interactive AG, is vulnerable for all releases through version\u202f2.8. Any WordPress installation that includes this plugin without custom security patches is at risk. No specific core WordPress version is listed in the advisory.", "description_and_impact": "A missing authorization flaw in the Jobs for WordPress plugin enables an attacker to bypass intended access restrictions. The vulnerability allows users who normally lack privileged rights to execute actions reserved for job administrators, such as creating, editing, or deleting job postings. Because this is a Missing Authorization weakness (CWE\u2011862), the primary impact is the ability to manipulate or create content that should be protected by proper permissions within the WordPress site.", "risk_and_exploitability": "No CVSS or EPSS score is disclosed, but the flaw permits privilege escalation via the web interface. Based on the description, it is inferred that an attacker could exploit the issue by sending crafted HTTP requests to endpoints provided by the plugin from any web\u2011connected location. The risk is considered high because an unauthorized user can alter or create job postings, compromising data integrity. The vulnerability is not listed in the CISA KEV catalog, yet administrators should treat it as a critical concern until a newer plugin version is installed."}}}}, "created": "2026-03-25T21:35:00.373003+00:00", "updated": "2026-03-25T21:35:00.373037+00:00", "vendors": []}