CVE-2024-11284

EPSS 0.24%
Published 14.03.2025 05:15:40
Last modified 08.07.2025 15:21:52
Source security@wordfence.com
Teams watchlist Login
Open Login

The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.9. This is due to the plugin not properly validating a user's identity prior to updating their password through the account_settings_save_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Affected products Warnungen 0 Metrics 2 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Chimpgroup ≫ Jobcareer SwPlatformwordpress Version <= 7.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.24%	0.47

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
security@wordfence.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636

Product

https://www.wordfence.com/threat-intel/vulnerabilities/id/8afe386e-1e4f-4668-8309-6d47dedb008a?source=cve

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-11284

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-11284

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-11284

EUVD