CVE-2024-10104
📋 TL;DR
The Jobs for WordPress plugin before version 2.7.8 has a stored cross-site scripting (XSS) vulnerability in job settings. This allows authenticated users with contributor-level privileges or higher to inject malicious scripts that execute when other users view affected pages. WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Jobs for WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with contributor access could inject malicious JavaScript that steals administrator session cookies, leading to full site compromise and potential data exfiltration.
Likely Case
Malicious contributors could inject scripts to deface job listings, redirect users, or perform limited privilege escalation within the WordPress dashboard.
If Mitigated
With proper user access controls and content security policies, impact is limited to job listing pages with minimal data exposure.
🎯 Exploit Status
Exploitation requires contributor-level WordPress access. The vulnerability is in job settings fields that lack proper sanitization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.8
Vendor Advisory: https://wpscan.com/vulnerability/f0a9c8ae-f2cf-4322-8216-4778b0e37a48/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Jobs for WordPress' and check if version is below 2.7.8. 4. Click 'Update Now' or manually update to version 2.7.8+.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the Jobs for WordPress plugin until patched
wp plugin deactivate jobs-for-wordpress
Restrict Contributor Privileges
allTemporarily downgrade contributor users to subscriber role or remove job editing capabilities
wp user update <user_id> --role=subscriber
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
- Regularly audit and monitor job listings for suspicious script content
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Jobs for WordPress' version. If version is below 2.7.8, system is vulnerable.Check Version:
wp plugin get jobs-for-wordpress --field=versionVerify Fix Applied:
After updating, verify plugin version shows 2.7.8 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual job listing edits by contributor users
- JavaScript injection patterns in job description fields
Network Indicators:
- Unexpected script loads from job listing pages
- Suspicious outbound connections triggered by job views
SIEM Query:
source="wordpress.log" AND "jobs-for-wordpress" AND ("updated" OR "edited") AND user_role="contributor"