WordPress Plugin Vulnerabilities

Ninja Job Board < 1.3.3 - Resume Disclosure via Directory Listing

Description

The plugin does not protect the directory where it stores uploaded resumes, making it vulnerable to unauthenticated Directory Listing which allows the download of uploaded resumes.

Proof of Concept

Affects Plugins

Plugin icon
ninja-job-board
Fixed in 1.3.3

References

CVE
CVE-2022-2544
URL
https://plugins.trac.wordpress.org/changeset/2758420/ninja-job-board/trunk/includes/Classes/File/FileHandler.php?old=2126467&old_path=ninja-job-board%2Ftrunk%2Fincludes%2FClasses%2FFile%2FFileHandler.php

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
a9bcc68c-eeda-4647-8463-e7e136733053

Timeline

Publicly Published
2022-08-01 (about 3 years ago)
Added
2022-08-01 (about 3 years ago)
Last Updated
2023-04-30 (about 2 years ago)

Other

Published
Title
Published
2023-11-21
Title
Quttera Web Malware Scanner < 3.4.2.1 - Directory Listing to Sensitive Data Exposure
Published
2025-01-06
Title
Passster – Password Protect Pages and Content < 4.2.11 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Published
2025-05-07
Title
Mail Mint < 1.17.8 - Unauthenticated Sensitive Information Exposure
Published
2025-12-12
Title
Fix Media Library <= 2.0 - Unauthenticated Information Exposure
Published
2024-12-16
Title
ElementsReady Addons for Elementor < 6.4.9 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates