CVE-2026-12397
Received Received - Intake

Information Disclosure in WP Job Portal WordPress Plugin

Vulnerability report for CVE-2026-12397, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: WPScan

Description

The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email for a given job, allowing authenticated users with a subscriber-level (self-registerable) account to read other employers' private account email addresses by enumerating job identifiers.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wp_job_portal wp_job_portal to 2.5.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WP Job Portal plugin before version 2.5.5 has an Insecure Direct Object Reference (IDOR) vulnerability. This flaw allows authenticated users with a subscriber-level account to access private email addresses of other employers. The vulnerability exists because the plugin does not verify whether the user owns the job listing when returning the employer's contact email. Attackers can exploit this by enumerating job identifiers to collect private emails from other employers.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of private employer email addresses to any authenticated subscriber-level user. This exposure of sensitive contact information can result in privacy breaches, targeted phishing attacks, spam, or other malicious activities against the affected employers.

Detection Guidance

This vulnerability can be detected by attempting to enumerate job identifiers while authenticated with a subscriber-level account and checking if the employer's private email addresses are disclosed without proper ownership verification.

Specifically, an authenticated user can try to access the employer contact email endpoint for different job IDs to see if emails from other employers are returned.

No specific commands are provided in the available resources, but testing can be done by scripting HTTP requests to the plugin's API or web endpoints that return employer contact emails, iterating over job IDs.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the WP Job Portal plugin to version 2.5.5 or later, where the issue has been fixed.

Until the update can be applied, restrict subscriber-level user access or disable the plugin to prevent exploitation by unauthorized users.

Compliance Impact

The vulnerability allows authenticated users with subscriber-level access to read other employers' private email addresses by exploiting a lack of ownership verification. This unauthorized disclosure of personal contact information could lead to non-compliance with data protection regulations such as GDPR, which mandates the protection of personal data and restricts unauthorized access and disclosure.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the exposure of private email addresses due to broken access control represents a privacy risk that could violate such regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12397. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart