CVE-2024-11917

Name of the Vulnerable Software and Affected Versions JobSearch WP Job Board plugin for WordPress versions prior to 2.8.9

Description The issue is related to authentication bypass due to improper configurations in the jobsearch xing response data callback, set access tokes, and google callback functions. This allows unauthenticated attackers to log in as the first connected Xing user, or any connected Xing user if the Xing id is known. Additionally, attackers can log in as the first connected Google user if the user has logged in, without subsequently logging out, in thirty days.

Recommendations For versions up to, and including, 2.8.8, update to version 2.8.9 or later to resolve the issue. As a temporary workaround, consider disabling the jobsearch xing response data callback, set access tokes, and google callback functions until a patch is available. Restrict access to Xing and Google login features to minimize the risk of exploitation.