CVE-2024-11285

CVE-2024-11285 is a critical privilege escalation vulnerability affecting the WP JobHunt plugin for WordPress in all versions up to and including 7.1. The flaw stems from the plugin's account_settings_callback() function failing to properly validate a user's identity before allowing updates to account details, such as email addresses. This authorization bypass, mapped to CWE-639, enables unauthorized modifications without authentication, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By targeting the account settings endpoint, they can arbitrarily change any user's email address, including those of administrators, then leverage the altered email to initiate a password reset process. Successful exploitation results in full account takeover, granting attackers high confidentiality, integrity, and availability impacts, such as unauthorized access to privileged accounts and potential further compromise of the WordPress site.

Advisories from sources like Wordfence provide detailed threat intelligence on the vulnerability, while the plugin's listing on ThemeForest offers context on the affected JobCareer theme integration. Practitioners should consult these references for patch availability, as the description indicates no built-in mitigations in vulnerable versions, and updating to a fixed release beyond 7.1 is implied as the primary remediation.