Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
34 vulnerabilities by wpjobportal
CVE-2026-4758 (GCVE-0-2026-4758)
Vulnerability from cvelistv5 – Published: 2026-03-25 23:26 – Updated: 2026-03-26 17:51
VLAI?
Title
WP Job Portal <= 2.4.9 - Authenticated (Subscriber+) Arbitrary File Deletion via Resume Custom File Field
Summary
The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'WPJOBPORTALcustomfields::removeFileCustom' function in all versions up to, and including, 2.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Severity ?
8.8 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – AI-Powered Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.4.9
(semver)
|
Credits
daroo
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4758",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T17:36:58.561742Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T17:51:16.635Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 AI-Powered Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.4.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "daroo"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the \u0027WPJOBPORTALcustomfields::removeFileCustom\u0027 function in all versions up to, and including, 2.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T23:26:02.312Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e96f31e0-4b2e-4ea1-a3e5-fd7452a2fea9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.4.9/includes/classes/customfields.php#L1558"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.5.0/includes/classes/customfields.php?rev=3490490#L1558"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-24T08:57:49.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-25T10:39:46.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.4.9 - Authenticated (Subscriber+) Arbitrary File Deletion via Resume Custom File Field"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4758",
"datePublished": "2026-03-25T23:26:02.312Z",
"dateReserved": "2026-03-24T08:42:06.937Z",
"dateUpdated": "2026-03-26T17:51:16.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4306 (GCVE-0-2026-4306)
Vulnerability from cvelistv5 – Published: 2026-03-23 22:25 – Updated: 2026-03-24 15:13
VLAI?
Title
WP Job Portal <= 2.4.8 - Unauthenticated SQL Injection via 'radius' Parameter
Summary
The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the 'radius' parameter in all versions up to, and including, 2.4.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
7.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – AI-Powered Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.4.8
(semver)
|
Credits
Leonid Semenenko
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4306",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T14:16:19.039564Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T15:13:00.978Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 AI-Powered Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.4.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Leonid Semenenko"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the \u0027radius\u0027 parameter in all versions up to, and including, 2.4.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T22:25:40.158Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ecc34552-c9b0-455f-b1c7-b31cc847cb22?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.4.7/modules/job/model.php#L2743"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.4.7/includes/ajax.php#L10"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/wp-job-portal/tags/2.4.8\u0026new_path=/wp-job-portal/tags/2.4.9"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-16T21:12:24.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-23T10:12:47.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.4.8 - Unauthenticated SQL Injection via \u0027radius\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4306",
"datePublished": "2026-03-23T22:25:40.158Z",
"dateReserved": "2026-03-16T20:57:12.096Z",
"dateUpdated": "2026-03-24T15:13:00.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24941 (GCVE-0-2026-24941)
Vulnerability from cvelistv5 – Published: 2026-02-20 15:47 – Updated: 2026-04-01 14:14
VLAI?
Title
WordPress WP Job Portal plugin <= 2.4.4 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Portal: from n/a through <= 2.4.4.
Severity ?
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal |
Affected:
0 , ≤ 2.4.4
(custom)
|
Date Public ?
2026-04-01 16:04
Credits
benzdeus | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-24941",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T19:03:32.109624Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T19:03:40.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-job-portal",
"product": "WP Job Portal",
"vendor": "wpjobportal",
"versions": [
{
"changes": [
{
"at": "2.4.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.4.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "benzdeus | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:04:55.023Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects WP Job Portal: from n/a through \u003c= 2.4.4.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Portal: from n/a through \u003c= 2.4.4."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:14:31.155Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-plugin-2-4-4-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress WP Job Portal plugin \u003c= 2.4.4 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-24941",
"datePublished": "2026-02-20T15:47:07.258Z",
"dateReserved": "2026-01-28T09:50:05.801Z",
"dateUpdated": "2026-04-01T14:14:31.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24379 (GCVE-0-2026-24379)
Vulnerability from cvelistv5 – Published: 2026-01-22 16:52 – Updated: 2026-04-01 14:14
VLAI?
Title
WordPress WP Job Portal plugin <= 2.4.3 - Insecure Direct Object References (IDOR) vulnerability
Summary
Authorization Bypass Through User-Controlled Key vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Portal: from n/a through <= 2.4.3.
Severity ?
9.1 (Critical)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal |
Affected:
0 , ≤ 2.4.3
(custom)
|
Date Public ?
2026-04-01 16:05
Credits
Nabil Irawan | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-24379",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-23T16:47:18.323677Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T18:54:05.541Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-job-portal",
"product": "WP Job Portal",
"vendor": "wpjobportal",
"versions": [
{
"changes": [
{
"at": "2.4.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.4.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nabil Irawan | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:05:18.253Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authorization Bypass Through User-Controlled Key vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects WP Job Portal: from n/a through \u003c= 2.4.3.\u003c/p\u003e"
}
],
"value": "Authorization Bypass Through User-Controlled Key vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Portal: from n/a through \u003c= 2.4.3."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:14:09.921Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-plugin-2-4-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"title": "WordPress WP Job Portal plugin \u003c= 2.4.3 - Insecure Direct Object References (IDOR) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-24379",
"datePublished": "2026-01-22T16:52:46.322Z",
"dateReserved": "2026-01-22T14:42:40.516Z",
"dateUpdated": "2026-04-01T14:14:09.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14467 (GCVE-0-2025-14467)
Vulnerability from cvelistv5 – Published: 2025-12-12 03:20 – Updated: 2025-12-15 18:17
VLAI?
Title
WP Job Portal <= 2.3.9 - Authenticated (Editor+) Stored Cross-Site Scripting via Job Description Field
Summary
The WP Job Portal plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.3.9. This is due to the plugin explicitly whitelisting the `<script>` tag in its `WPJOBPORTAL_ALLOWED_TAGS` configuration and using insufficient input sanitization when saving job descriptions. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts into job description fields via the job creation/editing interface. These scripts will execute whenever a user accesses an injected page, enabling session hijacking, credential theft, and other malicious activities.This only impacts multi-site installations, or those with unfiltered_html disabled.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – AI-Powered Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.3.9
(semver)
|
Credits
Long Nguyen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14467",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-15T18:08:38.949270Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T18:17:14.870Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 AI-Powered Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.3.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Long Nguyen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.3.9. This is due to the plugin explicitly whitelisting the `\u003cscript\u003e` tag in its `WPJOBPORTAL_ALLOWED_TAGS` configuration and using insufficient input sanitization when saving job descriptions. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts into job description fields via the job creation/editing interface. These scripts will execute whenever a user accesses an injected page, enabling session hijacking, credential theft, and other malicious activities.This only impacts multi-site installations, or those with unfiltered_html disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T03:20:39.179Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c347b9f-d297-4cb5-9c4a-1001d845ed5a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.3.9/includes/constants.php#L351"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/trunk/includes/constants.php#L351"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/trunk/modules/job/model.php#L1278"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.3.9/modules/job/model.php#L1278"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/trunk/modules/job/tmpl/views/frontend/title.php#L231"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.3.9/modules/job/tmpl/views/frontend/title.php#L231"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-11T15:05:46.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.3.9 - Authenticated (Editor+) Stored Cross-Site Scripting via Job Description Field"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14467",
"datePublished": "2025-12-12T03:20:39.179Z",
"dateReserved": "2025-12-10T16:11:47.862Z",
"dateUpdated": "2025-12-15T18:17:14.870Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14293 (GCVE-0-2025-14293)
Vulnerability from cvelistv5 – Published: 2025-12-11 20:22 – Updated: 2025-12-11 21:18
VLAI?
Title
WP Job Portal <= 2.4.0 - Authenticated (Subscriber+) Arbitrary File Read
Summary
The WP Job Portal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.4.0 via the 'downloadCustomUploadedFile' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Severity ?
6.5 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – AI-Powered Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.4.0
(semver)
|
Credits
Long Nguyen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14293",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-11T21:05:00.571565Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T21:18:15.841Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 AI-Powered Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.4.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Long Nguyen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.4.0 via the \u0027downloadCustomUploadedFile\u0027 function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T20:22:09.209Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6dfcd264-39e3-44af-8e0e-5c35734524d0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.3.9/modules/customfield/model.php#L908"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-11T06:34:28.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.4.0 - Authenticated (Subscriber+) Arbitrary File Read"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14293",
"datePublished": "2025-12-11T20:22:09.209Z",
"dateReserved": "2025-12-08T19:46:21.034Z",
"dateUpdated": "2025-12-11T21:18:15.841Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48274 (GCVE-0-2025-48274)
Vulnerability from cvelistv5 – Published: 2025-06-17 15:01 – Updated: 2026-04-01 15:54
VLAI?
Title
WordPress WP Job Portal plugin <= 2.3.2 - SQL Injection Vulnerability
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpjobportal WP Job Portal wp-job-portal allows Blind SQL Injection.This issue affects WP Job Portal: from n/a through <= 2.3.2.
Severity ?
No CVSS data available.
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal |
Affected:
0 , ≤ 2.3.2
(custom)
|
Date Public ?
2026-04-01 16:40
Credits
LVT-tholv2k | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48274",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T18:31:58.944313Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T18:37:55.642Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-job-portal",
"product": "WP Job Portal",
"vendor": "wpjobportal",
"versions": [
{
"changes": [
{
"at": "2.3.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.3.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "LVT-tholv2k | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:40:49.612Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in wpjobportal WP Job Portal wp-job-portal allows Blind SQL Injection.\u003cp\u003eThis issue affects WP Job Portal: from n/a through \u003c= 2.3.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in wpjobportal WP Job Portal wp-job-portal allows Blind SQL Injection.This issue affects WP Job Portal: from n/a through \u003c= 2.3.2."
}
],
"impacts": [
{
"capecId": "CAPEC-7",
"descriptions": [
{
"lang": "en",
"value": "Blind SQL Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:54:30.071Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-2-3-2-sql-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress WP Job Portal plugin \u003c= 2.3.2 - SQL Injection Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-48274",
"datePublished": "2025-06-17T15:01:31.321Z",
"dateReserved": "2025-05-19T14:13:24.501Z",
"dateUpdated": "2026-04-01T15:54:30.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47438 (GCVE-0-2025-47438)
Vulnerability from cvelistv5 – Published: 2025-05-23 12:43 – Updated: 2026-04-01 15:53
VLAI?
Title
WordPress WP Job Portal plugin <= 2.3.1 - Local File Inclusion vulnerability
Summary
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpjobportal WP Job Portal wp-job-portal allows PHP Local File Inclusion.This issue affects WP Job Portal: from n/a through <= 2.3.1.
Severity ?
No CVSS data available.
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal |
Affected:
0 , ≤ 2.3.1
(custom)
|
Date Public ?
2026-04-01 16:39
Credits
Trương Hữu Phúc (truonghuuphuc) | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47438",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-23T14:55:09.833093Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-23T14:55:15.452Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-job-portal",
"product": "WP Job Portal",
"vendor": "wpjobportal",
"versions": [
{
"changes": [
{
"at": "2.3.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:39:54.988Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in wpjobportal WP Job Portal wp-job-portal allows PHP Local File Inclusion.\u003cp\u003eThis issue affects WP Job Portal: from n/a through \u003c= 2.3.1.\u003c/p\u003e"
}
],
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in wpjobportal WP Job Portal wp-job-portal allows PHP Local File Inclusion.This issue affects WP Job Portal: from n/a through \u003c= 2.3.1."
}
],
"impacts": [
{
"capecId": "CAPEC-252",
"descriptions": [
{
"lang": "en",
"value": "PHP Local File Inclusion"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:53:10.130Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-plugin-2-3-1-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"title": "WordPress WP Job Portal plugin \u003c= 2.3.1 - Local File Inclusion vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-47438",
"datePublished": "2025-05-23T12:43:37.020Z",
"dateReserved": "2025-05-07T09:38:32.076Z",
"dateUpdated": "2026-04-01T15:53:10.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48273 (GCVE-0-2025-48273)
Vulnerability from cvelistv5 – Published: 2025-05-23 12:43 – Updated: 2026-04-01 15:54
VLAI?
Title
WordPress WP Job Portal plugin <= 2.3.2 - Arbitrary File Download Vulnerability
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in wpjobportal WP Job Portal wp-job-portal allows Path Traversal.This issue affects WP Job Portal: from n/a through <= 2.3.2.
Severity ?
No CVSS data available.
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal |
Affected:
0 , ≤ 2.3.2
(custom)
|
Date Public ?
2026-04-01 16:40
Credits
LVT-tholv2k | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48273",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-27T14:35:56.250192Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T14:36:01.416Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-job-portal",
"product": "WP Job Portal",
"vendor": "wpjobportal",
"versions": [
{
"changes": [
{
"at": "2.3.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.3.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "LVT-tholv2k | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:40:48.548Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in wpjobportal WP Job Portal wp-job-portal allows Path Traversal.\u003cp\u003eThis issue affects WP Job Portal: from n/a through \u003c= 2.3.2.\u003c/p\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in wpjobportal WP Job Portal wp-job-portal allows Path Traversal.This issue affects WP Job Portal: from n/a through \u003c= 2.3.2."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "Path Traversal"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:54:29.762Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-2-3-2-arbitrary-file-download-vulnerability?_s_id=cve"
}
],
"title": "WordPress WP Job Portal plugin \u003c= 2.3.2 - Arbitrary File Download Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-48273",
"datePublished": "2025-05-23T12:43:16.413Z",
"dateReserved": "2025-05-19T14:13:24.501Z",
"dateUpdated": "2026-04-01T15:54:29.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48272 (GCVE-0-2025-48272)
Vulnerability from cvelistv5 – Published: 2025-05-19 14:45 – Updated: 2026-04-01 15:54
VLAI?
Title
WordPress WP Job Portal plugin <= 2.3.2 - Insecure Direct Object References (IDOR) Vulnerability
Summary
Missing Authorization vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Portal: from n/a through <= 2.3.2.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal |
Affected:
0 , ≤ 2.3.2
(custom)
|
Date Public ?
2026-04-01 16:40
Credits
LVT-tholv2k | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48272",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T15:07:39.448210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T15:17:00.918Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-job-portal",
"product": "WP Job Portal",
"vendor": "wpjobportal",
"versions": [
{
"changes": [
{
"at": "2.3.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.3.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "LVT-tholv2k | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:40:48.347Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects WP Job Portal: from n/a through \u003c= 2.3.2.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Portal: from n/a through \u003c= 2.3.2."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:54:29.425Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-2-3-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"title": "WordPress WP Job Portal plugin \u003c= 2.3.2 - Insecure Direct Object References (IDOR) Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-48272",
"datePublished": "2025-05-19T14:45:25.486Z",
"dateReserved": "2025-05-19T14:13:24.501Z",
"dateUpdated": "2026-04-01T15:54:29.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-26935 (GCVE-0-2025-26935)
Vulnerability from cvelistv5 – Published: 2025-02-25 14:17 – Updated: 2026-04-01 15:45
VLAI?
Title
WordPress WP Job Portal plugin <= 2.2.8 - Local File Inclusion vulnerability
Summary
Path Traversal: '.../...//' vulnerability in wpjobportal WP Job Portal wp-job-portal allows PHP Local File Inclusion.This issue affects WP Job Portal: from n/a through <= 2.2.8.
Severity ?
No CVSS data available.
CWE
- CWE-35 - Path Traversal: '.../...//'
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal |
Affected:
0 , ≤ 2.2.8
(custom)
|
Date Public ?
2026-04-01 16:35
Credits
Trương Hữu Phúc (truonghuuphuc) | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26935",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T15:07:51.893068Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T15:09:31.531Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-job-portal",
"product": "WP Job Portal",
"vendor": "wpjobportal",
"versions": [
{
"changes": [
{
"at": "2.2.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.2.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:35:25.010Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Path Traversal: \u0027.../...//\u0027 vulnerability in wpjobportal WP Job Portal wp-job-portal allows PHP Local File Inclusion.\u003cp\u003eThis issue affects WP Job Portal: from n/a through \u003c= 2.2.8.\u003c/p\u003e"
}
],
"value": "Path Traversal: \u0027.../...//\u0027 vulnerability in wpjobportal WP Job Portal wp-job-portal allows PHP Local File Inclusion.This issue affects WP Job Portal: from n/a through \u003c= 2.2.8."
}
],
"impacts": [
{
"capecId": "CAPEC-252",
"descriptions": [
{
"lang": "en",
"value": "PHP Local File Inclusion"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-35",
"description": "Path Traversal: \u0027.../...//\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:45:47.921Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-plugin-2-2-8-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"title": "WordPress WP Job Portal plugin \u003c= 2.2.8 - Local File Inclusion vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-26935",
"datePublished": "2025-02-25T14:17:54.939Z",
"dateReserved": "2025-02-17T11:51:10.110Z",
"dateUpdated": "2026-04-01T15:45:47.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-13873 (GCVE-0-2024-13873)
Vulnerability from cvelistv5 – Published: 2025-02-22 03:20 – Updated: 2025-02-22 15:30
VLAI?
Title
WP Job Portal <= 2.2.8 - Insecure Direct Object Reference to Authenticated (Subscriber+) User Photo Disconnection
Summary
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.8 via the deleteUserPhoto() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to remove profile photos from users accounts. Please note that this does not officially delete the file.
Severity ?
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – A Complete Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.2.8
(semver)
|
Credits
Tran Van Nhan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13873",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-22T15:30:31.545879Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-22T15:30:45.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.2.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tran Van Nhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.8 via the deleteUserPhoto() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to remove profile photos from users accounts. Please note that this does not officially delete the file."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-22T03:20:59.210Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5fdba3c5-382e-4d2b-83d8-0e0cebf2e63c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3242653/wp-job-portal/tags/2.2.9/includes/classes/uploads.php?old=3238353\u0026old_path=wp-job-portal%2Ftags%2F2.2.8%2Fincludes%2Fclasses%2Fuploads.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-21T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.2.8 - Insecure Direct Object Reference to Authenticated (Subscriber+) User Photo Disconnection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13873",
"datePublished": "2025-02-22T03:20:59.210Z",
"dateReserved": "2025-02-13T18:05:26.299Z",
"dateUpdated": "2025-02-22T15:30:45.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13372 (GCVE-0-2024-13372)
Vulnerability from cvelistv5 – Published: 2025-02-01 07:21 – Updated: 2025-02-03 16:36
VLAI?
Title
WP Job Portal <= 2.2.6 - Insecure Direct Object Reference to Unauthenticated Arbitrary Resume Download
Summary
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the getresumefiledownloadbyid() and getallresumefiles() functions due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to download users resumes without the appropriate authorization to do so.
Severity ?
5.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – A Complete Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.2.6
(semver)
|
Credits
Tran Van Nhan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13372",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T16:23:55.288585Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-03T16:36:44.302Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.2.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tran Van Nhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the getresumefiledownloadbyid() and getallresumefiles() functions due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to download users resumes without the appropriate authorization to do so."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-01T07:21:39.891Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e00e65ba-db58-4d13-8cb3-c4d62a2553fb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3229608/wp-job-portal/tags/2.2.7/modules/resume/controller.php?old=3216415\u0026old_path=wp-job-portal%2Ftags%2F2.2.6%2Fmodules%2Fresume%2Fcontroller.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-31T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.2.6 - Insecure Direct Object Reference to Unauthenticated Arbitrary Resume Download"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13372",
"datePublished": "2025-02-01T07:21:39.891Z",
"dateReserved": "2025-01-13T20:30:30.626Z",
"dateUpdated": "2025-02-03T16:36:44.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13371 (GCVE-0-2024-13371)
Vulnerability from cvelistv5 – Published: 2025-02-01 07:21 – Updated: 2025-02-03 16:36
VLAI?
Title
WP Job Portal <= 2.2.6 - Missing Authorization to Unauthenticated Arbitrary Email Sending
Summary
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized arbitrary emails sending due to a missing capability check on the sendEmailToJobSeeker() function in all versions up to, and including, 2.2.6. This makes it possible for unauthenticated attackers to send arbitrary emails with arbitrary content from the sites mail server.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – A Complete Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.2.6
(semver)
|
Credits
Tran Van Nhan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13371",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T16:23:57.820119Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-03T16:36:52.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.2.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tran Van Nhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized arbitrary emails sending due to a missing capability check on the sendEmailToJobSeeker() function in all versions up to, and including, 2.2.6. This makes it possible for unauthenticated attackers to send arbitrary emails with arbitrary content from the sites mail server."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-01T07:21:39.546Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a84a4c56-a44e-450d-91fc-024f8ddeedee?source=cve"
},
{
"url": "https://gist.github.com/g1-nhantv/31b04bc057046ecc54c3552387eb7bca"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3229608/wp-job-portal/tags/2.2.7/modules/jobapply/model.php?old=3216415\u0026old_path=wp-job-portal%2Ftags%2F2.2.6%2Fmodules%2Fjobapply%2Fmodel.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-31T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.2.6 - Missing Authorization to Unauthenticated Arbitrary Email Sending"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13371",
"datePublished": "2025-02-01T07:21:39.546Z",
"dateReserved": "2025-01-13T19:55:00.788Z",
"dateUpdated": "2025-02-03T16:36:52.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13428 (GCVE-0-2024-13428)
Vulnerability from cvelistv5 – Published: 2025-02-01 07:21 – Updated: 2025-02-03 16:37
VLAI?
Title
WP Job Portal <= 2.2.6 - Insecure Direct Object Reference to Unauthenticated Company Logo Deletion
Summary
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the deleteCompanyLogo() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary company logos.
Severity ?
5.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – A Complete Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.2.6
(semver)
|
Credits
Tran Van Nhan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13428",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T16:24:01.183303Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-03T16:37:00.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.2.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tran Van Nhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the deleteCompanyLogo() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary company logos."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-01T07:21:39.178Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7c786fe-898e-4478-97b9-c1fb41c9081c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3229608/wp-job-portal/tags/2.2.7/modules/company/model.php?old=3216415\u0026old_path=wp-job-portal%2Ftags%2F2.2.6%2Fmodules%2Fcompany%2Fmodel.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-31T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.2.6 - Insecure Direct Object Reference to Unauthenticated Company Logo Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13428",
"datePublished": "2025-02-01T07:21:39.178Z",
"dateReserved": "2025-01-15T19:30:45.393Z",
"dateUpdated": "2025-02-03T16:37:00.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13425 (GCVE-0-2024-13425)
Vulnerability from cvelistv5 – Published: 2025-02-01 07:21 – Updated: 2025-02-03 16:37
VLAI?
Title
WP Job Portal <= 2.2.6 - Insecure Direct Object Reference to Authenticated (Employer+) Arbitrary Company Deletion
Summary
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the enforcedelete() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Employer-level access and above, to delete other users companies.
Severity ?
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – A Complete Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.2.6
(semver)
|
Credits
Tran Van Nhan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13425",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T16:07:39.272204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-03T16:37:09.745Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.2.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tran Van Nhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the enforcedelete() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Employer-level access and above, to delete other users companies."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-01T07:21:38.797Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a14e110f-0850-44f4-8de3-95a654096ae8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3229608/wp-job-portal/tags/2.2.7/modules/company/controller.php?old=3216415\u0026old_path=wp-job-portal%2Ftags%2F2.2.6%2Fmodules%2Fcompany%2Fcontroller.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-31T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.2.6 - Insecure Direct Object Reference to Authenticated (Employer+) Arbitrary Company Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13425",
"datePublished": "2025-02-01T07:21:38.797Z",
"dateReserved": "2025-01-15T19:23:55.733Z",
"dateUpdated": "2025-02-03T16:37:09.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13429 (GCVE-0-2024-13429)
Vulnerability from cvelistv5 – Published: 2025-02-01 07:21 – Updated: 2025-02-03 16:37
VLAI?
Title
WP Job Portal <= 2.2.6 - Insecure Direct Object Reference to Authenticated (Employer+) Arbitrary Job Deletion
Summary
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the 'jobenforcedelete' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with employer-level access and above, to delete arbitrary
Severity ?
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – A Complete Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.2.6
(semver)
|
Credits
Tran Van Nhan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13429",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T16:07:42.567476Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-03T16:37:16.983Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.2.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tran Van Nhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the \u0027jobenforcedelete\u0027 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with employer-level access and above, to delete arbitrary"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-01T07:21:38.390Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9cbce69a-53d0-4b83-9b7a-893a6b9c39c4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3229608/wp-job-portal/tags/2.2.7/modules/job/controller.php?old=3216415\u0026old_path=wp-job-portal%2Ftags%2F2.2.6%2Fmodules%2Fjob%2Fcontroller.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-31T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.2.6 - Insecure Direct Object Reference to Authenticated (Employer+) Arbitrary Job Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13429",
"datePublished": "2025-02-01T07:21:38.390Z",
"dateReserved": "2025-01-15T19:40:11.067Z",
"dateUpdated": "2025-02-03T16:37:16.983Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12131 (GCVE-0-2024-12131)
Vulnerability from cvelistv5 – Published: 2025-01-07 12:43 – Updated: 2025-01-07 14:29
VLAI?
Title
WP Job Portal – A Complete Recruitment System for Company or Job Board website <= 2.2.5- Authenticated (Subscriber+) Insecure Direct Object Reference
Summary
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.5 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit resumes for other applicants when applying for jobs.
Severity ?
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – A Complete Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.2.5
(semver)
|
Credits
Apostolos Sakellariou
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12131",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T14:29:02.623660Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T14:29:14.208Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.2.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Apostolos Sakellariou"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.5 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit resumes for other applicants when applying for jobs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T12:43:40.934Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b4772ab0-41cd-4b35-bda9-d72e0fd7b7a5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.2.6/modules/jobapply/model.php?rev=3216415"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-04T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-01-06T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website \u003c= 2.2.5- Authenticated (Subscriber+) Insecure Direct Object Reference"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12131",
"datePublished": "2025-01-07T12:43:40.934Z",
"dateReserved": "2024-12-04T02:44:10.806Z",
"dateUpdated": "2025-01-07T14:29:14.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12132 (GCVE-0-2024-12132)
Vulnerability from cvelistv5 – Published: 2025-01-03 08:22 – Updated: 2025-01-03 14:31
VLAI?
Title
WP Job Portal – A Complete Recruitment System for Company or Job Board website <= 2.2.4 - Authenticated (Subscriber+) Insecure Direct Object Reference
Summary
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.4 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create jobs for companies that are unaffiliated with the attacker.
Severity ?
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – A Complete Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.2.4
(semver)
|
Credits
Apostolos Sakellariou
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12132",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T14:30:53.605740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T14:31:03.355Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.2.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Apostolos Sakellariou"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.4 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create jobs for companies that are unaffiliated with the attacker."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T08:22:21.179Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d19ac6fc-029f-4f19-913e-e082acecc594?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3210251/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-02T19:25:08.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website \u003c= 2.2.4 - Authenticated (Subscriber+) Insecure Direct Object Reference"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12132",
"datePublished": "2025-01-03T08:22:21.179Z",
"dateReserved": "2024-12-04T02:48:34.516Z",
"dateUpdated": "2025-01-03T14:31:03.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11712 (GCVE-0-2024-11712)
Vulnerability from cvelistv5 – Published: 2024-12-14 06:45 – Updated: 2024-12-16 16:41
VLAI?
Title
WP Job Portal <= 2.2.2 - Missing Authorization to Unauthenticated Arbitrary Resume Download
Summary
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getResumeFileDownloadById() function in all versions up to, and including, 2.2.2. This makes it possible for unauthenticated attackers to download other users resumes.
Severity ?
5.3 (Medium)
CWE
- CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – A Complete Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.2.2
(semver)
|
Credits
Tran Van Nhan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11712",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-16T15:59:28.142233Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T16:41:03.343Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.2.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tran Van Nhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getResumeFileDownloadById() function in all versions up to, and including, 2.2.2. This makes it possible for unauthenticated attackers to download other users resumes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-14T06:45:16.858Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ecc87d5f-dba4-40f8-946f-f2634614b579?source=cve"
},
{
"url": "https://gist.github.com/g1-nhantv/245d2829c1b489f61c9124086506b6b8"
},
{
"url": "https://gist.github.com/g1-nhantv/7a26a9681eb3413d8be9323fb151fdcd"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3202327/wp-job-portal/tags/2.2.3/modules/resume/model.php?old=3187129\u0026old_path=wp-job-portal%2Ftags%2F2.2.2%2Fmodules%2Fresume%2Fmodel.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.2.2 - Missing Authorization to Unauthenticated Arbitrary Resume Download"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11712",
"datePublished": "2024-12-14T06:45:16.858Z",
"dateReserved": "2024-11-25T17:06:35.770Z",
"dateUpdated": "2024-12-16T16:41:03.343Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11710 (GCVE-0-2024-11710)
Vulnerability from cvelistv5 – Published: 2024-12-14 06:45 – Updated: 2024-12-16 17:47
VLAI?
Title
WP Job Portal <= 2.2.2 - Authenticated (Admin+) SQL Injection
Summary
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to SQL Injection via the 'fieldfor', 'visibleParent' and 'id' parameters in all versions up to, and including, 2.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
4.9 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – A Complete Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.2.2
(semver)
|
Credits
Tran Van Nhan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11710",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-16T16:49:50.758116Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T17:47:28.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.2.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tran Van Nhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to SQL Injection via the \u0027fieldfor\u0027, \u0027visibleParent\u0027 and \u0027id\u0027 parameters in all versions up to, and including, 2.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-14T06:45:16.471Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/80fcaea8-5837-4d8c-afef-b9ed4fd31227?source=cve"
},
{
"url": "https://gist.github.com/g1-nhantv/40e061bbd2aa26bb89060aff7879feb1"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3202327/wp-job-portal/tags/2.2.3/modules/fieldordering/model.php?old=3187129\u0026old_path=wp-job-portal%2Ftags%2F2.2.2%2Fmodules%2Ffieldordering%2Fmodel.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.2.2 - Authenticated (Admin+) SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11710",
"datePublished": "2024-12-14T06:45:16.471Z",
"dateReserved": "2024-11-25T16:53:13.328Z",
"dateUpdated": "2024-12-16T17:47:28.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11711 (GCVE-0-2024-11711)
Vulnerability from cvelistv5 – Published: 2024-12-14 06:45 – Updated: 2024-12-16 17:47
VLAI?
Title
WP Job Portal <= 2.2.1 - Unauthenticated SQL Injection
Summary
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to SQL Injection via the 'resumeid' parameter in all versions up to, and including, 2.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
7.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – A Complete Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.2.1
(semver)
|
Credits
Tran Van Nhan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11711",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-16T16:55:39.767211Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T17:47:38.917Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.2.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tran Van Nhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to SQL Injection via the \u0027resumeid\u0027 parameter in all versions up to, and including, 2.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-14T06:45:16.039Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5d8961fd-68ac-4a10-ab26-cfcda27c18e8?source=cve"
},
{
"url": "https://gist.github.com/g1-nhantv/b388ef3b4ff57c69f719c363d7fea399#file-resume_model-php-L35"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3202327/wp-job-portal/tags/2.2.3/modules/resume/model.php?old=3187129\u0026old_path=wp-job-portal%2Ftags%2F2.2.2%2Fmodules%2Fresume%2Fmodel.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.2.1 - Unauthenticated SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11711",
"datePublished": "2024-12-14T06:45:16.039Z",
"dateReserved": "2024-11-25T17:03:30.631Z",
"dateUpdated": "2024-12-16T17:47:38.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11714 (GCVE-0-2024-11714)
Vulnerability from cvelistv5 – Published: 2024-12-14 06:45 – Updated: 2024-12-16 17:47
VLAI?
Title
WP Job Portal <= 2.2.2 - Authenticated (Admin+) SQL Injection via getFieldsForVisibleCombobox()
Summary
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to SQL Injection via the 'ff' parameter of the getFieldsForVisibleCombobox() function in all versions up to, and including, 2.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
4.9 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – A Complete Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.2.2
(semver)
|
Credits
Tran Van Nhan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11714",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-16T16:49:53.603460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T17:47:47.634Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.2.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tran Van Nhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to SQL Injection via the \u0027ff\u0027 parameter of the getFieldsForVisibleCombobox() function in all versions up to, and including, 2.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-14T06:45:15.610Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/505858dc-c420-484c-a067-6962836eea6a?source=cve"
},
{
"url": "https://gist.github.com/g1-nhantv/60182158e1d763b2f4c3b5e2972b6961#file-fieldordering_model-php-L6"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3202327/wp-job-portal/tags/2.2.3/modules/fieldordering/model.php?old=3187129\u0026old_path=wp-job-portal%2Ftags%2F2.2.2%2Fmodules%2Ffieldordering%2Fmodel.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.2.2 - Authenticated (Admin+) SQL Injection via getFieldsForVisibleCombobox()"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11714",
"datePublished": "2024-12-14T06:45:15.610Z",
"dateReserved": "2024-11-25T17:14:11.494Z",
"dateUpdated": "2024-12-16T17:47:47.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11713 (GCVE-0-2024-11713)
Vulnerability from cvelistv5 – Published: 2024-12-14 06:45 – Updated: 2024-12-16 17:47
VLAI?
Title
WP Job Portal <= 2.2.2 - Authenticated (Admin+) SQL Injection via wpjobportal_deactivate()
Summary
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to SQL Injection via the 'page_id' parameter of the wpjobportal_deactivate() function in all versions up to, and including, 2.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
4.9 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – A Complete Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.2.2
(semver)
|
Credits
Nhien Pham
Tran Van Nhan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11713",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-16T16:49:56.742225Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T17:47:54.904Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.2.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nhien Pham"
},
{
"lang": "en",
"type": "finder",
"value": "Tran Van Nhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to SQL Injection via the \u0027page_id\u0027 parameter of the wpjobportal_deactivate() function in all versions up to, and including, 2.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-14T06:45:15.220Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4d67675a-b77b-41c6-a94f-d9385e609b37?source=cve"
},
{
"url": "https://gist.github.com/g1-nhantv/08ea67adc67d1ba98bf56c4fae5aec0f#file-deactivation-php-L11"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3202327/wp-job-portal/tags/2.2.3/includes/deactivation.php?old=3187129\u0026old_path=wp-job-portal%2Ftags%2F2.2.2%2Fincludes%2Fdeactivation.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.2.2 - Authenticated (Admin+) SQL Injection via wpjobportal_deactivate()"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11713",
"datePublished": "2024-12-14T06:45:15.220Z",
"dateReserved": "2024-11-25T17:10:10.755Z",
"dateUpdated": "2024-12-16T17:47:54.904Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11715 (GCVE-0-2024-11715)
Vulnerability from cvelistv5 – Published: 2024-12-14 06:45 – Updated: 2024-12-16 17:48
VLAI?
Title
WP Job Portal <= 2.2.2 - Missing Authorization to Limited Privilege Escalation
Summary
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the assignUserRole() function in all versions up to, and including, 2.2.2. This makes it possible for unauthenticated attackers to elevate their privileges to that of an employer.
Severity ?
4.8 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – A Complete Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.2.2
(semver)
|
Credits
Tran Van Nhan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11715",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-16T16:49:59.834101Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T17:48:03.674Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.2.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tran Van Nhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the assignUserRole() function in all versions up to, and including, 2.2.2. This makes it possible for unauthenticated attackers to elevate their privileges to that of an employer."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-14T06:45:14.790Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4107199d-e3c7-4379-b39d-1868de7d777b?source=cve"
},
{
"url": "https://gist.github.com/tvnnn/9b706643c5f88989c98815be8b101e11"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3202327/wp-job-portal/tags/2.2.3/modules/user/controller.php?old=3187129\u0026old_path=wp-job-portal%2Ftags%2F2.2.2%2Fmodules%2Fuser%2Fcontroller.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.2.2 - Missing Authorization to Limited Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11715",
"datePublished": "2024-12-14T06:45:14.790Z",
"dateReserved": "2024-11-25T17:32:12.284Z",
"dateUpdated": "2024-12-16T17:48:03.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52389 (GCVE-0-2024-52389)
Vulnerability from cvelistv5 – Published: 2024-11-18 21:29 – Updated: 2026-04-01 15:38
VLAI?
Title
WordPress WP Job Portal plugin <= 2.2.0 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpjobportal WP Job Portal wp-job-portal allows Stored XSS.This issue affects WP Job Portal: from n/a through <= 2.2.0.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal |
Affected:
0 , ≤ 2.2.0
(custom)
|
Date Public ?
2026-04-01 16:29
Credits
casol | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52389",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T15:24:39.483515Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T15:24:54.293Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-job-portal",
"product": "WP Job Portal",
"vendor": "wpjobportal",
"versions": [
{
"changes": [
{
"at": "2.2.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "casol | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:29:47.012Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in wpjobportal WP Job Portal wp-job-portal allows Stored XSS.\u003cp\u003eThis issue affects WP Job Portal: from n/a through \u003c= 2.2.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in wpjobportal WP Job Portal wp-job-portal allows Stored XSS.This issue affects WP Job Portal: from n/a through \u003c= 2.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:38:40.158Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-plugin-2-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress WP Job Portal plugin \u003c= 2.2.0 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-52389",
"datePublished": "2024-11-18T21:29:46.576Z",
"dateReserved": "2024-11-11T06:38:56.851Z",
"dateUpdated": "2026-04-01T15:38:40.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-7950 (GCVE-0-2024-7950)
Vulnerability from cvelistv5 – Published: 2024-09-04 02:33 – Updated: 2024-09-04 14:21
VLAI?
Title
WP Job Portal <= 2.1.6 - Missing Authorization to Unauthenticated Local File Inclusion, Arbitrary Settings Update, and User Creation
Summary
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Local File Inclusion, Arbitrary Settings Update, and User Creation in all versions up to, and including, 2.1.6 via several functions called by the 'checkFormRequest' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. Attackers can also update arbitrary settings and create user accounts even when registration is disabled, leading to user creation with a default role of Administrator.
Severity ?
9.8 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – A Complete Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.1.6
(semver)
|
Credits
Connor Billings
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wpjobportal:wp_job_portal:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "wp_job_portal",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.1.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7950",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T14:20:26.059795Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T14:21:07.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.1.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Connor Billings"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Local File Inclusion, Arbitrary Settings Update, and User Creation in all versions up to, and including, 2.1.6 via several functions called by the \u0027checkFormRequest\u0027 function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \u201csafe\u201d file types can be uploaded and included. Attackers can also update arbitrary settings and create user accounts even when registration is disabled, leading to user creation with a default role of Administrator."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T02:33:48.311Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ca1d5275-3398-47a7-889b-4050ebe635ee?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.1.5/includes/formhandler.php"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.1.5/includes/includer.php"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.1.5/includes/wpjobportal-hooks.php"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.1.5/modules/configuration/controller.php"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.1.5/modules/user/controller.php"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.1.5/modules/user/tmpl/views/frontend/form-field.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3138675/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-03T14:04:34.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.1.6 - Missing Authorization to Unauthenticated Local File Inclusion, Arbitrary Settings Update, and User Creation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7950",
"datePublished": "2024-09-04T02:33:48.311Z",
"dateReserved": "2024-08-19T17:08:44.126Z",
"dateUpdated": "2024-09-04T14:21:07.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43266 (GCVE-0-2024-43266)
Vulnerability from cvelistv5 – Published: 2024-08-18 21:34 – Updated: 2026-04-01 15:34
VLAI?
Title
WordPress WP Job Portal plugin <= 2.1.8 - Insecure Direct Object References (IDOR) vulnerability
Summary
Authorization Bypass Through User-Controlled Key vulnerability in wpjobportal WP Job Portal wp-job-portal.This issue affects WP Job Portal: from n/a through <= 2.1.8.
Severity ?
No CVSS data available.
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal |
Affected:
0 , ≤ 2.1.8
(custom)
|
Date Public ?
2026-04-01 16:27
Credits
LuxF0z | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43266",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-19T13:33:04.645298Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-19T13:33:12.796Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-job-portal",
"product": "WP Job Portal",
"vendor": "wpjobportal",
"versions": [
{
"changes": [
{
"at": "2.1.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.1.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "LuxF0z | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:27:13.075Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authorization Bypass Through User-Controlled Key vulnerability in wpjobportal WP Job Portal wp-job-portal.\u003cp\u003eThis issue affects WP Job Portal: from n/a through \u003c= 2.1.8.\u003c/p\u003e"
}
],
"value": "Authorization Bypass Through User-Controlled Key vulnerability in wpjobportal WP Job Portal wp-job-portal.This issue affects WP Job Portal: from n/a through \u003c= 2.1.8."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:34:47.389Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-a-complete-job-board-plugin-2-1-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"title": "WordPress WP Job Portal plugin \u003c= 2.1.8 - Insecure Direct Object References (IDOR) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-43266",
"datePublished": "2024-08-18T21:34:59.503Z",
"dateReserved": "2024-08-09T09:20:48.471Z",
"dateUpdated": "2026-04-01T15:34:47.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-35759 (GCVE-0-2024-35759)
Vulnerability from cvelistv5 – Published: 2024-06-21 12:41 – Updated: 2026-04-01 15:34
VLAI?
Title
WordPress WP Job Portal plugin <= 2.1.3 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpjobportal WP Job Portal wp-job-portal.This issue affects WP Job Portal: from n/a through <= 2.1.3.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal |
Affected:
0 , ≤ 2.1.3
(custom)
|
Date Public ?
2026-04-01 16:26
Credits
LuxF0z | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35759",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-21T14:00:28.637245Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T14:00:51.786Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:14:53.991Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-job-portal/wordpress-wp-job-portal-plugin-2-1-3-admin-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-job-portal",
"product": "WP Job Portal",
"vendor": "wpjobportal",
"versions": [
{
"changes": [
{
"at": "2.1.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.1.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "LuxF0z | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:26:08.865Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in wpjobportal WP Job Portal wp-job-portal.\u003cp\u003eThis issue affects WP Job Portal: from n/a through \u003c= 2.1.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in wpjobportal WP Job Portal wp-job-portal.This issue affects WP Job Portal: from n/a through \u003c= 2.1.3."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:34:19.856Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-plugin-2-1-3-admin-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress WP Job Portal plugin \u003c= 2.1.3 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-35759",
"datePublished": "2024-06-21T12:41:32.691Z",
"dateReserved": "2024-05-17T10:10:41.866Z",
"dateUpdated": "2026-04-01T15:34:19.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-35760 (GCVE-0-2024-35760)
Vulnerability from cvelistv5 – Published: 2024-06-21 12:40 – Updated: 2026-04-01 15:34
VLAI?
Title
WordPress WP Job Portal plugin <= 2.1.3 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpjobportal WP Job Portal wp-job-portal allows DOM-Based XSS.This issue affects WP Job Portal: from n/a through <= 2.1.3.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal |
Affected:
0 , ≤ 2.1.3
(custom)
|
Date Public ?
2026-04-01 16:26
Credits
LuxF0z | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35760",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-21T14:00:39.625387Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T14:02:59.329Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:14:54.055Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-job-portal/wordpress-wp-job-portal-a-complete-job-board-plugin-2-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-job-portal",
"product": "WP Job Portal",
"vendor": "wpjobportal",
"versions": [
{
"changes": [
{
"at": "2.1.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.1.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "LuxF0z | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:26:09.459Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in wpjobportal WP Job Portal wp-job-portal allows DOM-Based XSS.\u003cp\u003eThis issue affects WP Job Portal: from n/a through \u003c= 2.1.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in wpjobportal WP Job Portal wp-job-portal allows DOM-Based XSS.This issue affects WP Job Portal: from n/a through \u003c= 2.1.3."
}
],
"impacts": [
{
"capecId": "CAPEC-588",
"descriptions": [
{
"lang": "en",
"value": "DOM-Based XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:34:20.007Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-a-complete-job-board-plugin-2-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress WP Job Portal plugin \u003c= 2.1.3 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-35760",
"datePublished": "2024-06-21T12:40:10.390Z",
"dateReserved": "2024-05-17T10:10:41.866Z",
"dateUpdated": "2026-04-01T15:34:20.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}