WordPress Plugin Vulnerabilities

WP Job Portal < 2.1.9 - Subscriber+ Insecure Direct Object Reference

Description

The plugin is vulnerable to Insecure Direct Object Reference due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
wp-job-portal
Fixed in 2.1.9

References

CVE
CVE-2024-43266
URL
https://patchstack.com/database/vulnerability/wp-job-portal/wordpress-wp-job-portal-a-complete-job-board-plugin-2-1-6-insecure-direct-object-references-idor-vulnerability

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
LuxF0z
Verified
No
WPVDB ID
1ca8d6ea-fa9b-482d-97d7-e1413b92ee8a

Timeline

Publicly Published
2024-08-12 (about 1 year ago)
Added
2024-08-22 (about 1 year ago)
Last Updated
2024-10-21 (about 1 year ago)

Other

Published
Title
Published
2024-11-27
Title
Primary Addon for Elementor < 1.6.3 - Authenticated (Contributor+) Post Disclosure
Published
2024-11-21
Title
Easy Twitter Feed – Twitter feeds plugin for WP <= 1.2.6 - Authenticated (Contributor+) Post Exposure
Published
2025-02-17
Title
ProfileGrid – User Profiles, Groups and Communities < 5.9.4.3 - Insecure Direct Object Reference to Authenticated (Subscriber+) Private Messages Disclosure
Published
2024-03-18
Title
Permalink Manager < 2.4.3.2 - Missing Authorization to Authenticated(Author+) arbitrary post slug modification
Published
2025-06-26
Title
Mollie Payments for WooCommerce < 8.0.3 - Unauthenticated Insecure Direct Object Reference