[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRR5wXj1wRTUkQIwX4wp9OW87eRxdGPs_TOxApjabvW4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-25404","wp-job-manager-missing-authorization-2","WP Job Manager \u003C= 2.4.0 - Missing Authorization","The WP Job Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.4.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.","wp-job-manager",null,"\u003C=2.4.0","2.4.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-29 00:00:00","2026-05-04 15:46:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa4f8585b-5d69-4ef9-a49c-70f59a392ef9?source=api-prod",96,[22,23,24,25,26,27,28,29],"changelog.txt","includes\u002Fclass-job-dashboard-shortcode.php","includes\u002Fclass-wp-job-manager-ajax.php","includes\u002Fclass-wp-job-manager-post-types.php","includes\u002Fclass-wp-job-manager-recaptcha.php","includes\u002Fclass-wp-job-manager-shortcodes.php","languages\u002Fwp-job-manager.pot","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-25404 (WP Job Manager)\n\n## 1. Vulnerability Summary\nThe **WP Job Manager** plugin (up to version 2.4.0) is vulnerable to **Missing Authorization**. The vulnerability exists in the `Job_Dashboard_Shortcode::handle_actions` method (or similar action handlers within the job dashboard logic). While the plugin implements CSRF protection via nonces, it fails to perform adequate capability checks or ownership verification for specific actions such as duplicating a job listing or changing a job's status (e.g., marking as filled). This allows unauthenticated attackers to perform unauthorized state-changing actions on arbitrary job listings if they can obtain a valid nonce, which is typically exposed to all users visiting the dashboard page.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: The main site URL or the specific page containing the `[job_dashboard]` shortcode.\n- **Hook**: `wp` hook, registered in `WP_Job_Manager\\Job_Dashboard_Shortcode::__construct`.\n- **Query Parameters**:\n    - `action`: The action to perform (e.g., `duplicate`, `mark_filled`, `mark_not_filled`).\n    - `job_id`: The ID of the target job listing.\n    - `_wpnonce`: A WordPress nonce for the action `job_manager_my_job_actions`.\n- **Authentication**: Unauthenticated (`PR:N`).\n- **Precondition**: A job listing must exist, and its ID must be known. The attacker must visit the dashboard page (even if logged out) to retrieve the nonce.\n\n## 3. Code Flow\n1.  **Entry Point**: A `GET` request is sent to `\u002F?action=mark_filled&job_id=123&_wpnonce=[NONCE]`.\n2.  **Hook Execution**: `WP_Job_Manager\\Job_Dashboard_Shortcode::handle_actions()` is triggered via the `wp` hook.\n3.  **Action Parsing**: The code extracts `action` and `job_id` from `$_REQUEST`.\n4.  **Nonce Verification**: The code calls `wp_verify_nonce( $_REQUEST['_wpnonce'], 'job_manager_my_job_actions' )`. For unauthenticated users, this nonce is generated using `uid=0`.\n5.  **Vulnerable Sink**: The code proceeds to execute the action (e.g., updating post meta to mark a job as filled or duplicating the post) **without** verifying that the current user is logged in or that the user has the authority to manage the specific `job_id`.\n6.  **State Change**: The job listing's status or metadata is modified in the database.\n\n## 4. Nonce Acquisition Strategy\nThe `job_manager_my_job_actions` nonce is generated for unauthenticated users when they visit the page containing the `[job_dashboard]` shortcode. Even though the dashboard content is hidden behind a login form for guests, the underlying logic (specifically `Job_Overlay`) often enqueues scripts and localizes data including the nonce.\n\n### Strategy:\n1.  **Identify Dashboard**: Locate the page containing `[job_dashboard]`.\n2.  **Navigate**: Use `browser_navigate` to visit that page.\n3.  **Extract**: Use `browser_eval` to extract the nonce from the localized JavaScript objects.\n    - Target Variable: `window.wp_job_manager_job_dashboard` (inferred from typical WPJM localization patterns).\n    - Nonce Key: `nonce`.\n    - Command: `browser_eval(\"window.wp_job_manager_job_dashboard?.nonce\")`.\n\n## 5. Exploitation Strategy\n1.  **Setup**: Create a target job listing as an admin and record its ID.\n2.  **Preparation**: Create a page with the `[job_dashboard]` shortcode.\n3.  **Extraction**: Visit the dashboard page as a guest and extract the nonce.\n4.  **Execution**: Use `http_request` to send a GET request to the site root with the target parameters.\n    - **URL**: `http:\u002F\u002Flocalhost:8080\u002F`\n    - **Method**: `GET`\n    - **Params**: `?action=mark_filled&job_id=[JOB_ID]&_wpnonce=[NONCE]`\n5.  **Verification**: Check if the job listing's metadata `_filled` has been set to `1`.\n\n## 6. Test Data Setup\n1.  **Target Job**: Create a job listing.\n    ```bash\n    wp post create --post_type=job_listing --post_title=\"Critical Engineering Role\" --post_status=publish --post_author=1\n    # Record the ID (e.g., 123)\n    ```\n2.  **Dashboard Page**: Create a page to trigger nonce localization.\n    ```bash\n    wp post create --post_type=page --post_title=\"Employer Dashboard\" --post_content='[job_dashboard]' --post_status=publish\n    ```\n\n## 7. Expected Results\n- The HTTP request returns a redirect (302) or success message.\n- The job listing with the specified ID is updated.\n- Specifically, for the `mark_filled` action, the post meta `_filled` will be changed from `0` (or non-existent) to `1`.\n\n## 8. Verification Steps\nVerify the state change via WP-CLI:\n```bash\n# Check if the job is marked as filled\nwp post generate --post_type=job_listing --post_id=[ID] --field=_filled\n# Or check the display status via the dashboard action logic\nwp eval \"echo get_post_meta([ID], '_filled', true);\"\n```\n\n## 9. Alternative Approaches\nIf `mark_filled` is properly protected, attempt the `duplicate` action:\n1.  **Action**: `duplicate`.\n2.  **Request**: `GET \u002F?action=duplicate&job_id=[ID]&_wpnonce=[NONCE]`.\n3.  **Verification**: Check for the creation of a new job listing with a title like \"Duplicate of [Original Title]\".\n    ```bash\n    wp post list --post_type=job_listing --orderby=ID --order=DESC --limit=1\n    ```\n\nIf the `wp` hook is not the entry point, investigate the `job_manager_ajax_` handlers in `includes\u002Fclass-wp-job-manager-ajax.php`, though the shortcode-based action handler is the most probable location for this specific authorization failure.","gemini-3-flash-preview","2026-05-04 20:56:09","2026-05-04 20:56:57",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","2.4.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-job-manager\u002Ftags\u002F2.4.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-job-manager.2.4.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-job-manager\u002Ftags\u002F2.4.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-job-manager.2.4.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-job-manager\u002Ftags"]