Job Portal < 2.4.4 – Authenticated (Subscriber+) Insecure Direct Object Reference | CVE 2026-24379 | Plugin Vulnerabilities

Description

The WP Job Portal – AI-Powered Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.3 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Fixed in 2.4.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5f84140f-2572-4ffb-9b38-22eed5b0f80d

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Nabil Irawan

Verified

No

WPVDB ID

f233677b-a61a-4c29-85f6-48a9a4c18450

Timeline

Publicly Published

2026-01-24 (about 4 months ago)

Added

2026-01-28 (about 3 months ago)

Last Updated

2026-01-28 (about 3 months ago)

Other

Published

Title

Published

2024-04-10

Title

GP Unique ID < 1.5.6 - Unauthenticated Form Submission Unique ID Modification

Published

2024-06-28

Title

Paid Memberships Pro < 3.0.5 - Unauthenticated Insecure Direct Object Reference to Order Status Update

Published

2024-11-27

Title

Restaurant & Cafe Addon for Elementor < 1.6.0 - Authenticated (Contributor+) Post Disclosure

Published

2025-04-01

Title

JobBoard Job listing <= 1.2.7 - Authenticated (Employer+) Insecure Direct Object Reference

Published

2023-11-23

Title

Accept Stripe Payments < 2.0.80 - Insecure Direct Object Reference