WordPress Plugin Vulnerabilities

WP Job Portal < 2.3.3 - Unauthenticated Insecure Direct Object Reference

Description

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.3.2 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
wp-job-portal
Fixed in 2.3.3

References

CVE
CVE-2025-48272
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/29f3be0b-c91b-4dd3-a37f-ecda8a5d2d90

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
LVT-tholv2k
Verified
No
WPVDB ID
3e8f1e81-aeed-4b04-a883-ac0884ae3080

Timeline

Publicly Published
2025-05-19 (about 1 year ago)
Added
2025-05-29 (about 11 months ago)
Last Updated
2025-05-29 (about 11 months ago)

Other

Published
Title
Published
2026-03-10
Title
Happy Addons for Elementor < 3.21.1 - Insecure Direct Object Reference to Authenticated (Contributor+) Stored Cross-Site Scripting via Template Conditions
Published
2024-12-05
Title
XLTab – Accordions and Tabs for Elementor Page Builder < 1.5 - Authenticated (Contributor+) Post Disclosure
Published
2024-02-05
Title
Minimal Coming Soon – Coming Soon Page < 2.38 - Unauthenticated Maintenance Mode Bypass
Published
2026-05-13
Title
Fluent Forms < 6.2.1 - Form Manager+ Authorization Bypass via 'table' Parameter
Published
2025-12-02
Title
Projectopia <= 5.1.22 - Authenticated (Custom+) Insecure Direct Object Reference