CVE-2024-11714

Name of the Vulnerable Software and Affected Versions WP Job Portal plugin versions prior to 2.2.3

Description The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the ff parameter of the getFieldsForVisibleCombobox() function due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Recommendations For versions prior to 2.2.3, update to the latest version to mitigate risks. As a temporary workaround, consider restricting access to the getFieldsForVisibleCombobox() function until a patch is available. Avoid using the ff parameter in the affected function until the issue is resolved.