CVE-2024-11284
📋 TL;DR
The WP JobHunt WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to reset any user's password, including administrators. This leads to complete account takeover and privilege escalation. All WordPress sites using WP JobHunt versions up to 6.9 are affected.
💻 Affected Systems
- WP JobHunt WordPress Plugin
📦 What is this software?
Jobcareer by Chimpgroup
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise - attackers gain administrative access, can install backdoors, steal data, deface the site, or use it for further attacks.
Likely Case
Administrative account takeover leading to site defacement, data theft, or malware installation.
If Mitigated
Limited impact if strong network controls prevent external access or if immediate detection triggers response.
🎯 Exploit Status
Simple HTTP request to vulnerable endpoint with user ID parameter. Public exploit details available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 7.0 or later
Vendor Advisory: https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP JobHunt plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 7.0+ from theme vendor. 6. Deactivate and delete old version. 7. Upload and activate new version.
🔧 Temporary Workarounds
Immediate Plugin Deactivation
allTemporarily disable the vulnerable plugin to prevent exploitation
wp plugin deactivate wp-jobhunt
Web Application Firewall Rule
allBlock requests to the vulnerable account_settings_save_callback() function
# Add WAF rule to block POST requests to */wp-admin/admin-ajax.php with action=account_settings_save_callback
🧯 If You Can't Patch
- Immediately deactivate the WP JobHunt plugin via WordPress admin or command line
- Implement strict network access controls to limit access to WordPress admin interfaces
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for WP JobHunt version. If version is 6.9 or lower, you are vulnerable.Check Version:
wp plugin get wp-jobhunt --field=versionVerify Fix Applied:
Verify WP JobHunt plugin is updated to version 7.0 or later in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=account_settings_save_callback
- Multiple failed login attempts followed by successful login from new IP
- User password change events without proper authentication
Network Indicators:
- Unusual POST requests to WordPress admin-ajax endpoint from unauthenticated sources
- Traffic patterns showing account takeover attempts
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND post_data CONTAINS "account_settings_save_callback")