Job Manager & Career < 1.4.4 – Directory listing to Sensitive Data Exposure | CVE 2023-5906

Description

The plugin contains a vulnerability in the Directory Listings system, which allows an unauthorized user to view and download private files of other users. This vulnerability poses a serious security threat because it allows an attacker to gain access to confidential data and files of other users without their permission.

Proof of Concept

http://your_site/wordpress/wp-content/uploads/thjmf_uploads

Affects Plugins

job-manager-career

Fixed in 1.4.4

References

CVE

CVE-2023-5906

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CWE-200

CVSS

7.5 (high)

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

911d495c-3867-4259-a73a-572cd4fccdde

Timeline

Publicly Published

2023-11-06 (about 2 years ago)

Added

2023-11-06 (about 2 years ago)

Last Updated

2023-11-06 (about 2 years ago)

Other

Published

Title

Published

2022-11-28

Title

Syncee - Global Dropshipping < 1.0.10 - Authentication Token Disclosure

Published

2024-04-26

Title

Contact Form 7 Database Addon – CFDB7 < 1.2.7 - Unauthenticated Sensitive Information Exposure

Published

2023-12-28

Title

Affiliates Manager < 2.9.31 - Sensitive Information Exposure via Log File

Published

2025-12-11

Title

Events Manager < 7.2.2.3 - Unauthenticated Information Exposure

Published

2024-12-16

Title

s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions < 241216 - Authenticated (Contributor+) Sensitive Information Exposure