CVE-2026-12397 in WP Job Portal Plugin
Summary
by MITRE • 07/13/2026
The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email for a given job, allowing authenticated users with a subscriber-level (self-registerable) account to read other employers' private account email addresses by enumerating job identifiers.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/13/2026
The WP Job Portal WordPress plugin version 2.5.4 and earlier contains a critical access control vulnerability that allows authenticated subscribers to enumerate and access private contact information of other employers within the system. This flaw exists due to insufficient input validation and authorization checks when retrieving employer contact details associated with job listings. The vulnerability specifically affects the plugin's handling of job identifier parameters during email retrieval operations, creating an information disclosure scenario where unauthorized users can discover sensitive data without proper authentication or authorization.
This security weakness stems from a lack of proper access controls within the plugin's job data retrieval mechanism. When an authenticated user with subscriber privileges makes requests to the plugin's API endpoints, the system fails to verify whether the requesting user has legitimate access rights to view the contact information associated with specific job listings. The vulnerability operates through parameter manipulation where users can iterate through different job identifiers and obtain email addresses of employers who have posted jobs, effectively bypassing the intended authorization boundaries.
The operational impact of this vulnerability extends beyond simple information disclosure as it enables attackers to build comprehensive databases of employer contact information that could be used for targeted phishing campaigns, spamming activities, or social engineering attacks. The enumeration capability allows malicious users to systematically gather email addresses across multiple job postings, creating a significant privacy risk for employers who may not have intended their contact details to be publicly accessible through this method. This vulnerability directly violates the principle of least privilege and demonstrates inadequate input sanitization practices within the WordPress plugin architecture.
From a cybersecurity perspective, this vulnerability aligns with CWE-284 (Improper Access Control) and represents a clear violation of the security principle that access controls should be enforced at every level of system interaction. The flaw also maps to ATT&CK technique T1566 (Phishing) as it enables adversaries to gather contact information for crafting more convincing phishing attempts, and T1071.004 (Application Layer Protocol: DNS) could be leveraged if attackers use the collected information to target specific domains or organizations through DNS-based reconnaissance activities.
The recommended mitigation strategy involves implementing robust access control checks that validate user permissions before returning any employer contact information, regardless of job identifier provided. Plugin developers should enforce proper authorization mechanisms that verify whether the requesting user has legitimate access rights to view specific job listings and associated contact data. Additionally, input validation should be strengthened to prevent parameter tampering attacks, and rate limiting should be implemented to prevent automated enumeration attempts. Users should immediately upgrade to version 2.5.5 or later where these access control vulnerabilities have been addressed through proper authentication checks and input sanitization measures.