CVE-2020-35749
📋 TL;DR
This CVE describes a directory traversal vulnerability in the Simple Job Board WordPress plugin that allows authenticated attackers to read arbitrary files on the server. Attackers can exploit this by manipulating the sjb_file parameter in wp-admin/post.php to access sensitive files outside the intended directory. WordPress sites running Simple Job Board version 2.9.3 or earlier are affected.
💻 Affected Systems
- WordPress Simple Job Board Plugin
📦 What is this software?
Simple Board Job by Presstigers
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive system files like /etc/passwd, configuration files containing database credentials, or other sensitive application data, potentially leading to complete system compromise.
Likely Case
Attackers with WordPress admin access could read sensitive files containing credentials, configuration data, or other sensitive information stored on the server.
If Mitigated
With proper file permissions and web server configuration, impact would be limited to files readable by the web server user.
🎯 Exploit Status
Exploit requires WordPress admin authentication; multiple public exploit scripts are available
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.4 or later
Vendor Advisory: https://wordpress.org/plugins/simple-job-board/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Simple Job Board plugin
4. Click 'Update Now' if update available
5. If no update available, download latest version from WordPress.org
6. Deactivate old plugin, upload new version, activate
🔧 Temporary Workarounds
Disable vulnerable endpoint
allBlock access to the vulnerable wp-admin/post.php endpoint or restrict it to trusted IPs
# Add to .htaccess for Apache:
<Files "post.php">
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
</Files>
# Add to nginx config:
location ~ /wp-admin/post\.php$ {
allow 192.168.1.0/24;
deny all;
}
Remove vulnerable plugin
allTemporarily disable or remove the Simple Job Board plugin until patched
# Via WordPress admin: Plugins → Installed Plugins → Simple Job Board → Deactivate
🧯 If You Can't Patch
- Implement strict file permissions (chmod 600 for sensitive files, chmod 755 for directories)
- Use web application firewall (WAF) rules to block directory traversal attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Simple Job Board version. If version is 2.9.3 or earlier, system is vulnerable.Check Version:
# Check via WordPress database:
SELECT option_value FROM wp_options WHERE option_name = 'active_plugins' AND option_value LIKE '%simple-job-board%';Verify Fix Applied:
Verify plugin version is 2.9.4 or later in WordPress admin panel. Test the vulnerable endpoint with traversal payloads to confirm fix.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to wp-admin/post.php with sjb_file parameter containing '../' sequences
- Multiple failed file access attempts from same IP
- Access to sensitive file paths in web server logs
Network Indicators:
- HTTP GET requests to /wp-admin/post.php?sjb_file=../../../etc/passwd or similar patterns
- Unusual file access patterns from authenticated users
SIEM Query:
source="web_server_logs" AND uri_path="/wp-admin/post.php" AND query_string="*sjb_file=*../*"🔗 References
- http://packetstormsecurity.com/files/161050/Simple-JobBoard-Authenticated-File-Read.html
- http://packetstormsecurity.com/files/165892/WordPress-Simple-Job-Board-2.9.3-Local-File-Inclusion.html
- https://docs.google.com/document/d/1TbePkrRGsczepBaJptIdVRvfRrjiC5hjGg_Vxdesw6E/edit?usp=sharing
- http://packetstormsecurity.com/files/161050/Simple-JobBoard-Authenticated-File-Read.html
- http://packetstormsecurity.com/files/165892/WordPress-Simple-Job-Board-2.9.3-Local-File-Inclusion.html
- https://docs.google.com/document/d/1TbePkrRGsczepBaJptIdVRvfRrjiC5hjGg_Vxdesw6E/edit?usp=sharing
