Hi - I have a client who had a site built by another party and is using your Job Board Manager plugin tied into their website.
I was resolving some issues for them today and I noticed that the submitted jobs has a default option for published/draft/private, but if someone applies, that immediately gets published to the website with an auto-generated URL that includes the application number.
If someone applied and wanted to see the application before them for the same job - all they have to do is go to the URL that was sent to them in the confirmation email and then just change the application number one back (8785 to 8784 and then on) and look at all the people who have applied to any jobs.
This is a major concern and has us discussing changing plugins to another platform. Is this something that's been addressed or is being addressed in upcoming updates?
If so, what's the roadmap so we can plan our risk mitigation? My client is involved in the legal field and can't afford an incident!
I'll share the website details in a private email reply as needed.
Welcome to our forum.
Thanks for your report, i will check our plugin tomorrow and update soon. if possible please send me video walkthrough to regenerate errors.