SecuriTricks - CVE-2024-11917

Description

The JobSearch WP Job Board plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.8.8. This is due to improper configurations in the 'jobsearch_xing_response_data_callback', 'set_access_tokes', and 'google_callback' functions. This makes it possible for unauthenticated attackers to log in as the first connected Xing user, or any connected Xing user if the Xing id is known. It is also possible for unauthenticated attackers to log in as the first connected Google user if the user has logged in, without subsequently logging out, in thirty days. The vulnerability was partially patched in version 2.8.4.

Product(s) Impacted

Vendor	Product	Versions
Wordpress	Jobsearch Wp Job Board Plugin	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	wordpress	jobsearch_wp_job_board_plugin	/	/	/	/	/	wordpress	/	/

References

https://codecanyon.net/item/jobsearch-wp-job-board-wordpress-plugin/21066856

https://www.wordfence.com/threat-intel/vulnerabilities/id/6de8a608-8715-4f9c-9f2f-df60dd1cc579?source=cve

CVSS Score

8.1 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

View Vector String

Timeline

Published: April 25, 2025, 12:15 p.m.
Last Modified: April 25, 2025, 12:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@wordfence.com

CVE-2024-11917