CVE-2024-13873

Name of the Vulnerable Software and Affected Versions The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress versions up to, and including, 2.2.8

Description The issue is related to Insecure Direct Object Reference, which allows authenticated attackers with Subscriber-level access and above to remove profile photos from users' accounts via the deleteUserPhoto() function. This is due to missing validation on a user-controlled key. The attack does not officially delete the file.

Recommendations For versions up to, and including, 2.2.8, consider disabling the deleteUserPhoto() function until a patch is available to prevent exploitation. Restrict access to the deleteUserPhoto() function to minimize the risk of unauthorized profile photo removal.