CVE-2024-13771

CVE-2024-13771 is an authentication bypass vulnerability affecting the Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress in all versions up to and including 2.1.4. The issue stems from a lack of user validation before changing a password, allowing attackers to reset passwords without proper authentication checks. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-288 and CWE-306.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges required. If an attacker knows the username of a target user, including administrators, they can change that user's password, potentially gaining full account takeover and control over the WordPress site.

Advisories and further details are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/5ab2c74d-b83b-40ea-951c-83aeb76a7515?source=cve and the plugin's ThemeForest page at https://themeforest.net/item/civi-job-board-wordpress-theme/42770817. The vulnerability was published on 2025-03-14.