What the vulnerability does
01Description
Missing Authorization vulnerability in Sfwebservice InWave Jobs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InWave Jobs: from n/a through 3.5.8.
CVE-2025-39477
CRITICAL
CVE-2025-39477: WordPress InWave Jobs Plugin <= 3.5.8 - Broken Access Control vulnerability
CVSS base score
9.8/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Explanation of Vulnerability in Simple Terms
02Summary
InWave Jobs through version 3.5.8 lacks proper authorization checks, allowing unauthenticated attackers to read, modify, or delete data on affected sites. The vulnerability requires no user interaction and can be exploited remotely over the network. Site administrators should update immediately to a version newer than 3.5.8.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete site data without authentication.
Potential impact on your site
04Site Impact
Attackers can access, alter, or destroy job listings and related data without logging in.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
January 6, 2026
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2025-5811 Listly: Listicles For WordPress <= 2.7 - Unauthenticated Arbitrary Transient Deletion
CVE-2025-47528 WordPress Ovation Elements plugin <= 1.1.2 - Broken Access Control Vulnerability
CVE-2023-46612 WordPress Mediabay plugin <= 1.6 - Broken Access Control vulnerability
CVE-2022-23945 Apache ShenYu missing authentication allows gateway registration
CVE-2025-2815 Administrator Z <= 2025.03.24 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
