Skip to content

Critical flaw in WP Job Portal puts 6,000 websites at risks

  • by
  • 2 min read

A critical vulnerability, CVE-2024-7950, has been discovered in the widely used WP Job Portal plugin. With over 6,000 active installations, the vulnerability has left these websites open to potential exploitation, posing a severe risk to sensitive data and site integrity.

The vulnerability was identified in August and involved multiple critical issues, such as unauthenticated Local File Inclusion (LFI), Arbitrary Settings Updates, and Unauthorised User Creation.

The flaw is particularly dangerous because it allows attackers to gain administrator-level control over the affected WordPress sites without needing to authenticate themselves.

As per researchers, the root cause of the vulnerability lies in the plugin’s improper handling of certain functions within its code, specifically, the ‘checkFormRequest’ function, which is used to manage form submissions.

This function can be exploited to call other functions within the plugin, leading to severe security breaches.

The vulnerability was patched on August 21 in plugin version 2.1.7,

Researchers discovered attackers can leverage the LFI vulnerabilities to include and execute arbitrary PHP files on the server. While some common remote code execution methods are not exploitable due to the plugin’s use of specific security checks, determined attacks can still execute malicious code by chaining this vulnerability with others in the same or different plugins.

The second issue, the Arbitrary Settings Update, allows attackers to modify key plugin settings, including the roles assigned to new users. By exploiting this, attackers can set the default role for new users to ‘Administrator,’ effectively giving them full control over the site.

The most alarming aspect of this vulnerability is the ability for unauthenticated attackers to create new administrator accounts, even if user registration is disabled. Once an attacker gains administrative access, they can manipulate virtually anything on the site — upload malicious plugins or themes, alter site content, or redirect users to malicious websites.

Researchers have used organisations to update the plugin to version 2.1.7 immediately to protect their websites from potential attacks.

Last month, a WordPress plugin called JS Help Desk, which was installed on over 5,000 websites, was found to have a serious RCE vulnerability. In July, four WordPress plugins were hit by a supply chain attack.

In the News: Halliburton confirms cyber attack; RansomHub gang suspected

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>