What the vulnerability does
01Description
The Nokri - Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email address. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Explanation of Vulnerability in Simple Terms
02Summary
The Nokri Job Board WordPress theme versions 1.6.3 and earlier contain an authentication bypass vulnerability. An attacker with low-level user privileges can exploit weak authentication mechanisms to gain unauthorized access to sensitive functionality. This allows reading and modifying data across the site without proper authorization checks.
What an attacker can do
03Attacker Capabilities
Read and modify sensitive site data with a low-privilege user account.
Potential impact on your site
04Site Impact
Unauthorized users can access and alter job listings, user profiles, and other protected content.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the WordPress site.
Key dates
06Disclosure timeline
July 12, 2025
CVE published
April 8, 2026
Record updated