CVE-2024-11712

Published: Dec 14, 2024Modified: Feb 5, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: security@wordfence.com (Secondary)

Description

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getResumeFileDownloadById() function in all versions up to, and including, 2.2.2. This makes it possible for unauthenticated attackers to download other users resumes.

Affected (1)

Products: Wpjobportal: Wp Job Portal

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wpjobportal Wp Job Portal	Before 2.2.3

Related CWEs

Exposure of Private Personal Information to an Unauthorized Actor

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (4)

https://gist.github.com/g1-nhantv/245d2829c1b489f61c9124086506b6b8

Source: security@wordfence.com

Related

https://gist.github.com/g1-nhantv/7a26a9681eb3413d8be9323fb151fdcd

Source: security@wordfence.com

Related

https://plugins.trac.wordpress.org/changeset/3202327/wp-job-portal/tags/2.2.3/modules/resume/model.php?old=3187129&old_path=wp-job-portal%2Ftags%2F2.2.2%2Fmodules%2Fresume%2Fmodel.php

Source: security@wordfence.com

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/ecc87d5f-dba4-40f8-946f-f2634614b579?source=cve

Source: security@wordfence.com

Third Party Advisory

Timeline

No history available yet.