WP Job Portal < 2.2.7 – Insecure Direct Object Reference to Authenticated (Employer+) Arbitrary Job Deletion | CVE 2024-13429 | Plugin Vulnerabilities

Description

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the 'jobenforcedelete' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with employer-level access and above, to delete arbitrary

Affects Plugins

Fixed in 2.2.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9cbce69a-53d0-4b83-9b7a-893a6b9c39c4

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

thevietronin

Verified

No

WPVDB ID

0ac1d110-a3ce-4b7f-93c0-6da6b5cc6bb2

Timeline

Publicly Published

2025-01-31 (about 1 year ago)

Added

2025-01-31 (about 1 year ago)

Last Updated

2025-02-01 (about 1 year ago)

Other

Published

Title

Published

2026-05-20

Title

Broadstreet < 1.53.2 - Authenticated (Subscriber+) Private Post Meta Disclosure via get_sponsored_meta

Published

2025-09-09

Title

WPGYM - Wordpress Gym Management System <= 67.7.0 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover

Published

2026-01-01

Title

Curly <= 3.3 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2024-11-20

Title

Theme Builder For Elementor < 1.2.3 - Authenticated (Contributor+) Post Disclosure

Published

2024-11-12

Title

Boostify Header Footer Builder for Elementor < 1.3.7 - Authenticated (Contributor+) Post Disclosure