CVE-2024-11284
Published: 14 March 2025
Description
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Security Summary
CVE-2024-11284 is a privilege escalation vulnerability via account takeover in the WP JobHunt plugin for WordPress, affecting all versions up to and including 6.9. The issue arises because the plugin does not properly validate a user's identity prior to updating their password through the account_settings_save_callback() function, allowing unauthorized password changes. Published on 2025-03-14, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-639 (Authorization Bypass Through User-Controlled Key).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction or privileges required. By targeting the flawed callback function, they can reset the passwords of arbitrary users, including administrators, enabling full account takeover and potential complete compromise of the affected WordPress site.
Advisories provide further details on the issue, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/8afe386e-1e4f-4668-8309-6d47dedb008a?source=cve and the plugin's ThemeForest page at https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in public-facing WordPress plugin enables remote unauthenticated exploitation for initial access (T1190), direct privilege escalation via account takeover (T1068), and abuse of valid accounts (T1078).