PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12397 WP Job Portal CVE debrief

The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email for a given job, allowing authenticated users with a subscriber-level (self-registerable) account to read other employers' private account email addresses by enumerating job identifiers. This vulnerability could potentially allow attackers to gather sensitive information about employers, which could be used for further exploitation or malicious activities. The vulnerability affects the WP Job Portal WordPress plugin, which is used by various organizations to manage job postings and employer interactions.

Vendor
WP Job Portal
Product
WP Job Portal WordPress plugin
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Users of the WP Job Portal WordPress plugin, especially those with subscriber-level accounts, should be aware of this vulnerability and take steps to protect their private account email addresses. Additionally, administrators and security teams responsible for managing WordPress plugins and ensuring the security of their systems should prioritize updating the plugin to the latest version and implementing additional security measures as needed.

Technical summary

The WP Job Portal WordPress plugin before 2.5.5 lacks ownership verification when returning an employer's contact email for a given job. This allows authenticated users with subscriber-level accounts to read other employers' private account email addresses by enumerating job identifiers. The plugin does not properly validate the requestor's relationship to the job or employer, leading to a potential information disclosure vulnerability. Defenders should be aware of the potential for this vulnerability to be exploited and take steps to protect their systems.

Defensive priority

Medium

Recommended defensive actions

  • Update the WP Job Portal WordPress plugin to version 2.5.5 or later
  • Restrict access to job listings and employer contact information
  • Monitor for suspicious activity and implement additional security measures as needed
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-13T07:16:28.113Z and has not been modified since then. The NVD entry is currently Received. There may be additional information available from the vendor or other sources that could help defenders verify and mitigate this vulnerability. However, without further details, defenders should exercise caution and consider the potential impact of this vulnerability on their systems.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T07:16:28.113Z and has not been modified since then.