CVE-2024-13429

Name of the Vulnerable Software and Affected Versions WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress versions up to, and including, 2.2.6

Description The issue is related to Insecure Direct Object Reference, which allows authenticated attackers with employer-level access and above to delete arbitrary data. This is possible due to missing validation on a user-controlled key via the jobenforcedelete endpoint.

Recommendations For versions up to, and including, 2.2.6, consider disabling the jobenforcedelete endpoint until a patch is available to prevent arbitrary deletion of data. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using the jobenforcedelete endpoint with user-controlled input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.