CVE-2026-27049
Authentication Bypass in Jobica Core β€ 1.4.2 via Alternate Path
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nootheme | jobica_core | to 1.4.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27049 is a high-severity authentication bypass vulnerability in the WordPress Jobica Core Plugin versions up to and including 1.4.2. It allows unauthenticated attackers to bypass normal authentication mechanisms by using an alternate path or channel, enabling them to perform actions that are normally restricted to higher-privileged users.
This vulnerability falls under the OWASP Top 10 category A7: Identification and Authentication Failures, meaning it exploits weaknesses in the authentication process to gain unauthorized access.
How can this vulnerability impact me? :
This vulnerability can have critical impacts as it allows attackers to gain administrative access to affected WordPress websites without proper authentication.
- Attackers can take over accounts and perform administrative actions.
- It can lead to unauthorized changes, data theft, or site defacement.
- Because of its high CVSS score of 9.8, it is likely to be exploited in mass campaigns targeting many websites.
Immediate mitigation or patching is strongly advised to prevent exploitation.
What immediate steps should I take to mitigate this vulnerability?
The WordPress Jobica Core Plugin versions up to and including 1.4.2 are affected by a critical authentication bypass vulnerability.
No official patch has been released as of March 16, 2026.
Patchstack has issued a mitigation rule that can block attacks exploiting this flaw until an official patch becomes available.
Immediate mitigation or resolution is strongly advised to protect affected sites.
Users unable to update the plugin themselves are recommended to seek assistance from their hosting provider or web developer.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to gain administrative access to affected websites by exploiting broken authentication mechanisms.
Such unauthorized access can lead to data breaches or unauthorized data manipulation, which may result in non-compliance with common standards and regulations like GDPR and HIPAA that require strict access controls and protection of sensitive data.
Therefore, failure to mitigate this vulnerability could compromise compliance with these regulations due to potential exposure or misuse of personal or protected health information.