WordPress plugin "WP Job Manager" fails to restrict access permissions


The WordPress plugin "WP Job Manager" provided by Automattic Inc. fails to restrict access permissions.

Katsunori Kumagai of Kumasan, LLC. reported this issue to IPA under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

Automattic Inc.
  • WP Job Manager prior to version 1.26.2


A remote unauthenticated attacker may upload an image file to the server.

[Update the plugin]
According to developer, the update prevents uploading files from unauthenticated users.
Vendor Information

Automattic Inc.
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)


  1. JVN : JVN#56787058
  2. IPA SECURITY ALERTS : Security Alert for Vulnerability in WordPress plugin "WP Job Manager" (JVN#56787058) (in Japanese)
Revision History

  • [2017/06/15]
      Web page was published