CVE-2024-7950

Name of the Vulnerable Software and Affected Versions: The WP Job Portal plugin for WordPress versions up to, and including, 2.1.6

Description: The WP Job Portal plugin for WordPress is vulnerable to Local File Inclusion, Arbitrary Settings Update, and User Creation. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, enabling the execution of any PHP code in those files. Attackers can bypass access controls, obtain sensitive data, or achieve code execution, especially when images and other “safe” file types can be uploaded and included. Additionally, attackers can update arbitrary settings and create user accounts, even when registration is disabled, resulting in user creation with a default role of Administrator. Over 6,000 active installations are potentially exposed to exploitation, risking sensitive data and site integrity.

Recommendations: For The WP Job Portal plugin for WordPress versions up to, and including, 2.1.6: Update to a version later than 2.1.6 to mitigate the risk of Local File Inclusion, Arbitrary Settings Update, and User Creation. As a temporary workaround, consider disabling the checkFormRequest function until a patch is available. Restrict access to sensitive files and settings to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved.