CVE-2024-13372

Name of the Vulnerable Software and Affected Versions WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress versions up to, and including, 2.2.6

Description The issue concerns an Insecure Direct Object Reference vulnerability. This vulnerability arises due to missing validation on a user-controlled key, specifically through the getresumefiledownloadbyid() and getallresumefiles() functions. As a result, unauthenticated attackers can download users' resumes without proper authorization.

Recommendations For versions up to, and including, 2.2.6, update to a version higher than 2.2.6 to resolve the issue. As a temporary workaround, consider disabling the getresumefiledownloadbyid() and getallresumefiles() functions until a patch is available. Restrict access to resume download functionality to minimize the risk of exploitation.