The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.9. This is due to the plugin not properly validating a user's identity prior to updating their password through the account_settings_save_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
The account_settings_save_callback() function responsible for changing the user password does not properly verify the identity of the person sending the request. An attacker without any credentials can send a crafted password change request for a selected account (e.g., administrator). After changing the password, the attacker logs in to the compromised account, gaining full access to its permissions.
An attacker can take control of any WordPress account, including administrator accounts, which in practice means complete takeover of the website — content modification, backdoor installation, and access to user data.
The WP JobHunt plugin should be updated to a version higher than 6.9. Patches available from the vendor should be applied according to the references. Until the update is applied, it is recommended to consider disabling the plugin or restricting access to the website at the firewall level.
WP JobHunt plugin for WordPress in all versions up to and including 6.9, distributed as part of the Jobcareer theme (Chimpgroup)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HChimpgroup Jobcareer
APPChimpgroup≤ 7.1
Related vulnerabilities
WP JobHunt dla WordPress – przejęcie konta przez zmianę adresu e-mail
Authentication bypass w WP JobHunt – przejęcie konta administratora
The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and includin...
The JobCareer | Job Board Responsive WordPress Theme theme for WordPress is vulnerable to unauthorized access,...
PHP Object Injection w pluginie WordPress FoodBakery (do wersji 3.3)