{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23806", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-16T14:15:17.505Z", "datePublished": "2026-03-25T16:14:29.327Z", "dateUpdated": "2026-03-27T17:55:20.624Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "job-postings", "product": "Jobs for WordPress", "vendor": "BlueGlass Interactive AG", "versions": [{"changes": [{"at": "2.8.1", "status": "unaffected"}], "lessThanOrEqual": "<= 2.8", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Krissaphat Jankaew | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:10.985Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Jobs for WordPress: from n/a through <= 2.8.</p>"}], "value": "Missing Authorization vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Jobs for WordPress: from n/a through <= 2.8."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:29.327Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/job-postings/vulnerability/wordpress-jobs-for-wordpress-plugin-2-8-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Jobs for WordPress plugin <= 2.8 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T17:55:01.860168Z", "id": "CVE-2026-23806", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T17:55:20.624Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23806", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-16T14:15:17.505Z", "datePublished": "2026-03-25T16:14:29.327Z", "dateUpdated": "2026-03-27T17:55:20.624Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "job-postings", "product": "Jobs for WordPress", "vendor": "BlueGlass Interactive AG", "versions": [{"changes": [{"at": "2.8.1", "status": "unaffected"}], "lessThanOrEqual": "<= 2.8", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Krissaphat Jankaew | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:10.985Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Jobs for WordPress: from n/a through <= 2.8.</p>"}], "value": "Missing Authorization vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Jobs for WordPress: from n/a through <= 2.8."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:29.327Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/job-postings/vulnerability/wordpress-jobs-for-wordpress-plugin-2-8-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Jobs for WordPress plugin <= 2.8 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-23806", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T17:55:01.860168Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T17:54:07.024Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Jobs for WordPress: from n/a through <= 2.8."}, {"lang": "es", "value": "Vulnerabilidad por falta de autorizaci\u00f3n en las publicaciones de empleo de BlueGlass Interactive AG Jobs for WordPress permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Jobs for WordPress: desde n/a hasta &lt;= 2.8."}], "id": "CVE-2026-23806", "lastModified": "2026-03-27T18:16:04.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:35.853", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/job-postings/vulnerability/wordpress-jobs-for-wordpress-plugin-2-8-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.8]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[2.8.1,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Jobs for WordPress", "source": "cna", "vendor": "BlueGlass Interactive AG"}, "product": "jobs_for_wordpress", "vendor": "blueglass_interactive_ag"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-27T19:28:06.006582+00:00", "value": {"mitigation_remediation": ["Upgrade the Jobs for WordPress plugin to the latest released version, which includes the access\u2011control fix.", "If an upgrade is not immediately possible, block or restrict HTTP access to the plugin\u2019s administrative URLs for non\u2011administrator users.", "Verify that users with non\u2011admin roles no longer retain access to job\u2011posting management by conducting an access\u2011control test."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The weakness is present in the Jobs for WordPress job\u2011postings plugin by BlueGlass Interactive AG for all versions up to and including 2.8. Any WordPress site that has this plugin installed and has not been upgraded to a newer, patched release is affected.", "description_and_impact": "A missing authorization check in the Jobs for WordPress plugin allows attackers to access administrative functionality that should be restricted. The flaw is a classic broken access control vulnerability (CWE\u2011862). An attacker can create, edit, or delete job postings, or view sensitive application data, without authenticating or without sufficient privileges, thereby enabling unauthorized manipulation of content and deception of job seekers.", "risk_and_exploitability": "The CVSS score is 7.5, indicating high impact. The EPSS score is below 1%, suggesting low current exploitation probability, and the vulnerability is not listed in CISA\u2019s KEV catalog. Likely attack vectors involve sending crafted HTTP requests to the plugin\u2019s administrative endpoints, and the flaw can be exploited without elevated privileges or prior authentication. Consequently, an unauthenticated attacker could potentially manipulate job listings."}}}}, "created": "2026-03-25T21:35:00.373003+00:00", "updated": "2026-03-27T20:26:32.016334+00:00", "vendors": ["blueglass_interactive_ag", "blueglass_interactive_ag$PRODUCT$jobs_for_wordpress", "wordpress", "wordpress$PRODUCT$wordpress"]}