WordPress Plugin Vulnerabilities

JobSearch WP Job Board < 1.8.2 - Subscriber+ Add/Update Schedule Calls

Description

The jobsearch_add_job_import_schedule_call and jobsearch_update_job_import_schedule_call AJAx action o the plugin, available to any authenticated user do not have authorisation and CSRF check sin place, allowing users with a role as low as subscriber to call them

Affects Plugins

Plugin icon
wp-jobsearch
Fixed in 1.8.2

References

CVE
CVE-2021-4364
URL
https://blog.nintechnet.com/wordpress-jobsearch-wp-job-board-plugin-fixed-vulnerability/

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jerome Bruandet
Verified
Yes
WPVDB ID
7e2dd5df-f758-419c-bfb8-b8e53235fede

Timeline

Publicly Published
2021-10-05 (about 2 years ago)
Added
2021-10-05 (about 2 years ago)
Last Updated
2023-06-08 (about 11 months ago)

Other

Published
Title
Published
2024-04-08
Title
GamiPress < 6.8.9 - Broken Access Control
Published
2022-06-28
Title
Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update
Published
2021-04-22
Title
Multiple WP-Buy Plugins - Arbitrary Plugin Installation/Activation via Low Privilege User
Published
2022-05-18
Title
Jupiter < 6.10.2 & JupiterX < 2.0.7 - Subscriber+ Path Traversal and Local File Inclusion
Published
2021-04-20
Title
Redirection for Contact Form 7 < 2.3.4 - Unprotected AJAX Actions