{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27049", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:30.504Z", "datePublished": "2026-03-25T16:14:53.632Z", "dateUpdated": "2026-03-25T16:14:53.632Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "jobica-core", "product": "Jobica Core", "vendor": "NooTheme", "versions": [{"lessThanOrEqual": "<= 1.4.2", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:32.518Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in NooTheme Jobica Core jobica-core allows Authentication Abuse.<p>This issue affects Jobica Core: from n/a through <= 1.4.2.</p>"}], "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in NooTheme Jobica Core jobica-core allows Authentication Abuse.This issue affects Jobica Core: from n/a through <= 1.4.2."}], "impacts": [{"capecId": "CAPEC-114", "descriptions": [{"lang": "en", "value": "Authentication Abuse"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "description": "Authentication Bypass Using an Alternate Path or Channel", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:53.632Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/jobica-core/vulnerability/wordpress-jobica-core-plugin-1-4-2-account-takeover-vulnerability?_s_id=cve"}], "title": "WordPress Jobica Core plugin <= 1.4.2 - Account Takeover vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in NooTheme Jobica Core jobica-core allows Authentication Abuse.This issue affects Jobica Core: from n/a through <= 1.4.2."}], "id": "CVE-2026-27049", "lastModified": "2026-03-25T17:16:54.260", "metrics": {}, "published": "2026-03-25T17:16:54.260", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/jobica-core/vulnerability/wordpress-jobica-core-plugin-1-4-2-account-takeover-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:45:31.720383+00:00", "value": {"mitigation_remediation": ["Upgrade the Jobica Core plugin to a version newer than 1.4.2."], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass / Account Takeover"}, "threat_synthesis": {"affected_systems": "WordPress sites running the NooTheme Jobica Core plugin through version 1.4.2 are affected. All installations of the plugin before the advertised update are vulnerable.", "description_and_impact": "This vulnerability allows an attacker to bypass normal authentication flows by exploiting an alternate path or channel in the Jobica Core plugin, enabling unauthorized account access. The weakness is classified as CWE\u2011288, reflecting improper handling of authentication credentials. If exploited, the attacker could gain full control of user accounts, read or modify content, and potentially disrupt site operations.", "risk_and_exploitability": "No EPSS score is available and the issue is not listed in the CISA KEV catalog, but the nature of the flaw suggests that an attacker with web access could exploit it without additional prerequisites. The attack path is likely a direct HTTP request to an undocumented endpoint or a manipulated form submission that the plugin mistakenly accepts as authenticated, allowing account takeover with minimal effort."}}}}, "created": "2026-03-25T21:44:07.676644+00:00", "updated": "2026-03-25T21:44:07.676675+00:00", "vendors": []}