WordPress Plugin Vulnerabilities

WP Job Portal – A Complete Recruitment System for Company or Job Board website < 2.2.6- Authenticated (Subscriber+) Insecure Direct Object Reference

Description

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.5 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit resumes for other applicants when applying for jobs.

Affects Plugins

Plugin icon
wp-job-portal
Fixed in 2.2.6

References

CVE
CVE-2024-12131
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b4772ab0-41cd-4b35-bda9-d72e0fd7b7a5

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Apostolos Sakellariou
Verified
No
WPVDB ID
d73f349e-39e1-482c-a532-cbf5ed7926f2

Timeline

Publicly Published
2025-01-06 (about 1 year ago)
Added
2025-01-07 (about 1 year ago)
Last Updated
2025-01-07 (about 1 year ago)

Other

Published
Title
Published
2024-10-16
Title
WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin < 1.0.26 - Insecure Direct Object Reference to Unauthenticated Arbitrary User Password/Email Reset/Account Takeover
Published
2024-12-02
Title
Charity Addon for Elementor <= 1.3.3 - Authenticated (Contributor+) Post Disclosure
Published
2024-06-28
Title
Paid Memberships Pro < 3.0.5 - Unauthenticated Insecure Direct Object Reference to Order Status Update
Published
2025-02-06
Title
Builder Shortcode Extras – WordPress Shortcodes Collection to Save You Time <= 1.0.0 - Authenticated (Contributor+) Post Disclosure
Published
2023-12-27
Title
WooCommerce Stripe Payment Gateway < 7.6.2 - Unauthenticated Order Deletion via IDOR