WordPress Plugin Vulnerabilities

JS Job Manager < 2.0.1 - Missing Authorization

Description

The plugin does not have authorisation in various AJAX actions, which could allow users with a role as low as Subscriber to call them and perform unauthorised actions

Affects Plugins

Plugin icon
js-jobs
Fixed in 2.0.1

References

CVE
CVE-2023-28689

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Fariq Fadillah Gusti Insani
Verified
No
WPVDB ID
d12713f5-a29e-4a9c-8f16-f7bc62f279bc

Timeline

Publicly Published
2023-03-21 (about 3 years ago)
Added
2023-06-16 (about 2 years ago)
Last Updated
2023-06-16 (about 2 years ago)

Other

Published
Title
Published
2023-12-05
Title
Post Duplicator < 2.32 - Missing Authorization via mtphr_duplicate_post
Published
2024-06-11
Title
InstaWP Connect – 1-click WP Staging & Migration < 0.1.0.39 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation
Published
2024-08-21
Title
Image Optimizer, Resizer and CDN – Sirv < 7.2.8 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Upload
Published
2024-09-24
Title
JoomSport < 5.6.4 - Missing Authorization
Published
2024-06-05
Title
Countdown, Coming Soon, Maintenance – Countdown & Clock < 2.7.8.1 - Missing Authorization to Authenticated (Subscriber+) PHP Object Injection