CVE-2024-11283
Published: 14 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-11283 is an authentication bypass vulnerability affecting the WP JobHunt plugin for WordPress in all versions up to and including 7.1. The issue stems from the wp_ajax_google_api_login_callback function, which fails to properly verify a user's identity before authenticating them, as mapped to CWE-289 (Authentication Bypass by Assumed-Immutable Data). This flaw has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its potential for unauthorized data access.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By leveraging the flawed callback function, they can gain access to arbitrary candidate accounts within the plugin, potentially exposing sensitive user data such as resumes, profiles, or job application details.
Mitigation details are outlined in advisories from sources like Wordfence, accessible via their threat intelligence page, and the plugin's listing on ThemeForest. Security practitioners should update to a patched version beyond 7.1 if available and review access logs for suspicious activity on affected sites.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The authentication bypass in the public-facing WP JobHunt WordPress plugin directly enables remote exploitation of a public-facing application to gain unauthorized access to user accounts and data.