CVE-2024-13371

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized arbitrary emails sending due to a missing capability check on the sendEmailToJobSeeker() function in all versions up to, and including, 2.2.6. This makes it possible for unauthenticated attackers to send arbitrary emails with arbitrary content from the sites mail server.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/g1-nhantv/31b04bc057046ecc54c3552387eb7bca	Product
https://plugins.trac.wordpress.org/changeset/3229608/wp-job-portal/tags/2.2.7/modules/jobapply/model.php?old=3216415&old_path=wp-job-portal%2Ftags%2F2.2.6%2Fmodules%2Fjobapply%2Fmodel.php	Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/a84a4c56-a44e-450d-91fc-024f8ddeedee?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wpjobportal:wp_job_portal:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2025-02-01 08:15

Updated : 2025-02-05 16:16

NVD link : CVE-2024-13371

Mitre link : CVE-2024-13371

CVE.ORG link : CVE-2024-13371

JSON object : View

Products Affected

wpjobportal

wp_job_portal

CWE

CWE-862

Missing Authorization

{"id": "CVE-2024-13371", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-02-01T08:15:08.567", "references": [{"url": "https://gist.github.com/g1-nhantv/31b04bc057046ecc54c3552387eb7bca", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3229608/wp-job-portal/tags/2.2.7/modules/jobapply/model.php?old=3216415&old_path=wp-job-portal%2Ftags%2F2.2.6%2Fmodules%2Fjobapply%2Fmodel.php", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a84a4c56-a44e-450d-91fc-024f8ddeedee?source=cve", "tags": ["Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized arbitrary emails sending due to a missing capability check on the sendEmailToJobSeeker() function in all versions up to, and including, 2.2.6. This makes it possible for unauthenticated attackers to send arbitrary emails with arbitrary content from the sites mail server."}, {"lang": "es", "value": "El complemento WP Job Portal \u2013 A Complete Recruitment System for Company or Job Board website para WordPress es vulnerable al env\u00edo de correos electr\u00f3nicos arbitrarios no autorizados debido a una verificaci\u00f3n de capacidad faltante en la funci\u00f3n sendEmailToJobSeeker() en todas las versiones hasta la 2.2.6 y incluida. Esto permite que atacantes no autenticados env\u00eden correos electr\u00f3nicos arbitrarios con contenido arbitrario desde el servidor de correo del sitio."}], "lastModified": "2025-02-05T16:16:22.397", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wpjobportal:wp_job_portal:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "2B60A620-1CDA-4081-830E-9CBCE75F10E3", "versionEndExcluding": "2.2.7"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}