CRITICAL🇵🇱 Wersja polska

CVE-2024-11286

CVSS 9.8v3.1pub. 2025-03-14upd. 2025-07-08

The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the cs_parse_request() function. This makes it possible for unauthenticated attackers to to log in to any user's account, including administrators.

🤖 AI Analysis
How it works

The vulnerability results from improper user identity verification in the cs_parse_request() function. The plugin does not properly check whether the requester is actually who they claim to be before proceeding with the authentication process. As a result, an attacker can send a crafted request and obtain a session for any user without providing correct login credentials. The absence of any prerequisites (no authorization, no user interaction) makes the attack trivial to perform remotely.

Impact

An attacker can gain full control of the WordPress website by logging in as an administrator, enabling content modification, installation of malicious plugins, theft of user data, and further actions within the infrastructure.

Mitigation & patch

The WP JobHunt plugin should be updated to a version higher than 7.1. Patches available from the vendor should be applied according to references. Until the update is completed, it is recommended to disable the plugin or restrict access to the website at the firewall level.

Who is affected

The WP JobHunt plugin for WordPress in all versions up to and including 7.1 (product associated with the Jobcareer theme by Chimpgroup).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Chimpgroup Jobcareer

    APP
    Chimpgroup
    ≤ 7.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2024-11284CRITICAL9.8PL ✓ten sam produkt

WP JobHunt: nieuwierzytelnione przejęcie konta i privilege escalation

CVE-2024-11285CRITICAL9.8PL ✓ten sam produkt

WP JobHunt dla WordPress – przejęcie konta przez zmianę adresu e-mail

CVE-2024-11283HIGH7.5ten sam produkt

The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and includin...

CVE-2024-12810HIGH8.8ten sam produkt

The JobCareer | Job Board Responsive WordPress Theme theme for WordPress is vulnerable to unauthorized access,...

CVE-2025-32927CRITICAL9.8PL ✓ten sam vendor

PHP Object Injection w pluginie WordPress FoodBakery (do wersji 3.3)