Broken Access Control vulnerability

@donncha Wordfence and Solid Security still cite it as a current issue:

• The Plugin “WP Job Manager” has a security vulnerability.Type: Plugin Vulnerable
• Issue Found April 18, 2026 6:07 amCritical
• IgnoreDetails

• Plugin Name: WP Job Manager
• Current Plugin Version: 2.4.1
• Details: To protect your site from this vulnerability, the safest option is to deactivate and completely remove “WP Job Manager” until a patched version is available. Get more information.(opens in new tab)
• Repository URL: https://wordpress.org/plugins/wp-job-manager(opens in new tab)
• Vulnerability Information: https://www.wordfence.com/threat-intel/vulnerabilities/id/3099875e-ed6e-4d59-9da2-48fb389112ef?source=plugin(opens in new tab)
• Vulnerability Severity: 5.3/10.0 

@donncha thanks! We appreciate your team’s efforts.

May I also take this time to tell you there are many other issues (which can lead to vulnerabilities) which are shown in the Plugin Checker when run on this plugin. I have the upgraded Jobs Manager suite too, and in each of those plugins there are also many errors and warning which we’re concerned can lead to various exploits. WP Jobs Manager represents one of the most important features of our site, and I’m sure many other users.

All that said, I wondered, if your team would be willing to look into that too? There’s a lot of these, but here’s a few I see from the assessment:

WARNINGPluginCheck.Security.DirectDB.UnescapedDBParameterUnescaped parameter $query used in $wpdb->get_results()\n$query assigned unsafely 

ERROR missing_direct_file_access_protectionPHP file should prevent direct access. Add a check like: if ( ! defined( ‘ABSPATH’ ) ) exit;

WARNING WordPress.Security.NonceVerification.MissingProcessing form data without nonce verification.

ERROR missing_direct_file_access_protectionPHP file should prevent direct access. Add a check like: if ( ! defined( ‘ABSPATH’ ) ) exit;

ERROR outdated_tested_upto_headerTested up to: 6.6 < 6.9.
The “Tested up to” value in your plugin is not set to the current version of WordPress. 

WARNING WordPress.Security.NonceVerification.MissingProcessing form data without nonce verification.

ERROR PluginCheck.CodeAnalysis.Heredoc.NotAllowedUse of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead

ERROR plugin_updater_detectedPlugin Updater detected.
These are not permitted in WordPress.org hosted plugins. Detected: site_transient_update_plugins

ERROR WordPress.Security.EscapeOutput.UnsafePrintingFunctionAll output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found ‘_e’.

ERROR WordPress.Security.EscapeOutput.OutputNotEscapedAll output should be run through an escaping function 

WARNING missing_composer_json_fileThe “/vendor” directory using composer exists, but “composer.json” file is missing.

ERROR badly_named_filesFile and folder names must not contain spaces or special characters.

Thanks for your attention to this. We appreciate your team.

Hi @donncha any update to my above last response.

@donncha I could probably test a completed plugin zip with a staged site to see how it behaves, plus a vulnerability code pass, another PCP, and conflict testing with some standard plugins. I won’t be able to test via a fork/PR in GitHub right now due to time constraints.

Working on a platform build atm. Do you feel the current state is stable enough for staging-level testing, or would you prefer to push a bit further before that?

Thanks for re-prioritizing this, it doesn’t go unnoticed.