CVE-2024-12213
Published: 12 February 2025
Description
The WP Job Board Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to 2.3.16. This is due to the plugin allowing a user to supply the 'role' field when registering. This makes it possible for unauthenticated attackers to register as an administrator on vulnerable sites. Please note that this may have been patched sooner, however, the oldest available version for us to confirm this is patched in was 1.2.85.
Security Summary
CVE-2024-12213 is a privilege escalation vulnerability affecting the WP Job Board Pro plugin for WordPress in all versions up to and including 2.3.16. The flaw stems from the plugin permitting users to supply the 'role' field during registration, enabling unauthorized role assignment. It has been assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-266: Incorrect Privilege Assignment.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By manipulating the 'role' field during the registration process, they can create an account with administrator privileges, potentially gaining full control over the affected WordPress site, including access to sensitive data, modification of content, and execution of arbitrary actions.
Advisories indicate the vulnerability may have been addressed prior to version 2.3.16, with the oldest confirmed patched version being 1.2.85. Security practitioners should urge site administrators to update the WP Job Board Pro plugin to a patched version. Relevant details are available in the Wordfence threat intelligence report and the plugin's ThemeForest listing.
Details
- CWE(s)