WordPress Plugin Vulnerabilities

Job Manager <= 0.7.25 - Insecure Direct Object Reference (IDOR)

Description

It is possible to enumerate the CV filename that is uploaded on the server and then access the CV file by performing a bruteforce attack to the wordpress upload directory structure.

Affects Plugins

Plugin icon
job-manager
No known fix

References

CVE
CVE-2015-6668
URL
https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Evangelos Mourikis
Verified
No
WPVDB ID
9fd14f37-8c45-46f9-bcb6-8613d754dd1c

Timeline

Publicly Published
2015-08-28 (about 10 years ago)
Added
2015-08-31 (about 10 years ago)
Last Updated
2020-07-27 (about 5 years ago)

Other

Published
Title
Published
2019-10-09
Title
iThemes Sync <= 2.0.17 - Insufficient Secure Key Validation
Published
2022-06-20
Title
WP OAuth Server ( Login with WordPress ) < 4.0.1 - Authentication Bypass
Published
2026-03-09
Title
Tutor LMS Pro < 3.9.6 - Authentication Bypass via Social Login
Published
2021-07-19
Title
Profile Builder < 3.4.9 - Admin Access via Password Reset
Published
2024-09-03
Title
PixelYourSite – Your smart PIXEL (TAG) & API Manager <= 9.7.1 and PixelYourSite PRO <= 10.4.2 - Unauthenticated Information Exposure and Log Deletion