PatchSiren cyber security CVE debrief
CVE-2026-12397 WP Job Portal CVE debrief
The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email for a given job, allowing authenticated users with a subscriber-level (self-registerable) account to read other employers' private account email addresses by enumerating job identifiers. This vulnerability could potentially allow attackers to gather sensitive information about employers, which could be used for further exploitation or malicious activities. The vulnerability affects the WP Job Portal WordPress plugin, which is used by various organizations to manage job postings and employer interactions.
- Vendor
- WP Job Portal
- Product
- WP Job Portal WordPress plugin
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Users of the WP Job Portal WordPress plugin, especially those with subscriber-level accounts, should be aware of this vulnerability and take steps to protect their private account email addresses. Additionally, administrators and security teams responsible for managing WordPress plugins and ensuring the security of their systems should prioritize updating the plugin to the latest version and implementing additional security measures as needed.
Technical summary
The WP Job Portal WordPress plugin before 2.5.5 lacks ownership verification when returning an employer's contact email for a given job. This allows authenticated users with subscriber-level accounts to read other employers' private account email addresses by enumerating job identifiers. The plugin does not properly validate the requestor's relationship to the job or employer, leading to a potential information disclosure vulnerability. Defenders should be aware of the potential for this vulnerability to be exploited and take steps to protect their systems.
Defensive priority
Medium
Recommended defensive actions
- Update the WP Job Portal WordPress plugin to version 2.5.5 or later
- Restrict access to job listings and employer contact information
- Monitor for suspicious activity and implement additional security measures as needed
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-13T07:16:28.113Z and has not been modified since then. The NVD entry is currently Received. There may be additional information available from the vendor or other sources that could help defenders verify and mitigate this vulnerability. However, without further details, defenders should exercise caution and consider the potential impact of this vulnerability on their systems.
Official resources
-
CVE-2026-12397 CVE record
CVE.org
-
CVE-2026-12397 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T07:16:28.113Z and has not been modified since then.