CVE-2024-11284

Name of the Vulnerable Software and Affected Versions: WP JobHunt plugin for WordPress versions up to, and including, 6.9

Description: The issue is related to privilege escalation via account takeover. This is due to the plugin not properly validating a user's identity prior to updating their password through the account settings save callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Recommendations: For versions up to, and including, 6.9, update to a version that fixes this issue to prevent privilege escalation via account takeover. As a temporary workaround, consider disabling the account settings save callback() function until a patch is available.