CVE-2024-11712

EPSS 0.45%
Veröffentlicht 14.12.2024 07:15:06
Zuletzt bearbeitet 05.02.2025 15:17:40
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

WP Job Portal <= 2.2.2 - Missing Authorization to Unauthenticated Arbitrary Resume Download

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getResumeFileDownloadById() function in all versions up to, and including, 2.2.2. This makes it possible for unauthenticated attackers to download other users resumes.

Mögliche Gegenmaßnahme

WP Job Portal – AI-Powered Recruitment System for Company or Job Board website: Update to version 2.2.3, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 8

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wpjobportal ≫ Wp Job Portal SwPlatformwordpress Version < 2.2.3

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt WP Job Portal – AI-Powered Recruitment System for Company or Job Board website

Version *-2.2.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.45%	0.357

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-359 Exposure of Private Personal Information to an Unauthorized Actor

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://plugins.trac.wordpress.org/changeset/3202327/wp-job-portal/tags/2.2.3/modules/resume/model.php?old=3187129&old_path=wp-job-portal%2Ftags%2F2.2.2%2Fmodules%2Fresume%2Fmodel.php

Patch

https://gist.github.com/g1-nhantv/245d2829c1b489f61c9124086506b6b8

https://gist.github.com/g1-nhantv/7a26a9681eb3413d8be9323fb151fdcd

https://www.wordfence.com/threat-intel/vulnerabilities/id/ecc87d5f-dba4-40f8-946f-f2634614b579?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/ecc87d5f-dba4-40f8-946f-f2634614b579

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-11712

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-11712

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-11712

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-11712