CVE-2024-13873

Medium CVSS: 4.3

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.8 via the deleteUserPhoto() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to remove profile photos from users accounts. Please note that this does not officially delete the file.

Vendor

Wpjobportal

Product

Wp Job Portal

CWE

CWE-639

Yayın Tarihi

2025-02-22 04:15:09

Güncelleme

2025-03-11 13:32:22

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-639 Wp Job Portal MEDIUM Wpjobportal 2025

Referanslar

https://plugins.trac.wordpress.org/changeset/3242653/wp-job-portal/tags/2.2.9/includes/classes/uploads.php?old=3238353&old_path=wp-job-portal%2Ftags%2F2.2.8%2Fincludes%2Fclasses%2Fuploads.php https://www.wordfence.com/threat-intel/vulnerabilities/id/5fdba3c5-382e-4d2b-83d8-0e0cebf2e63c?source=cve

Benzer Kayıtlar

High

CVE-2025-48274

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpjobportal WP Job…

Unknown

CVE-2025-48273

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in wpjobportal WP Job Porta…

Critical

CVE-2025-47438

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in…

Unknown

CVE-2025-48272

Missing Authorization vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured…

High

CVE-2025-26935

Path Traversal: '.../...//' vulnerability in wpjobportal WP Job Portal wp-job-portal allows PHP Local File Inclusion.Thi…

Medium

CVE-2024-13429

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to…