CVE-2024-11715 – This vulnerability in the WP Job Portal WordPre... (How to Fix)

Q: What is the severity of CVE-2024-11715?

CVE-2024-11715 has a CVSS score of 4.8 (MEDIUM). This vulnerability in the WP Job Portal WordPress plugin allows unauthenticated attackers to assign themselves the employer role without proper authorization. It affects all WordPress sites using WP Job Portal plugin versions up to 2.2.2. Attackers can gain employer-level privileges to potentially access sensitive recruitment data and functionality.

📋 TL;DR

This vulnerability in the WP Job Portal WordPress plugin allows unauthenticated attackers to assign themselves the employer role without proper authorization. It affects all WordPress sites using WP Job Portal plugin versions up to 2.2.2. Attackers can gain employer-level privileges to potentially access sensitive recruitment data and functionality.

💻 Affected Systems

Products:

WP Job Portal WordPress Plugin

Versions: All versions up to and including 2.2.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the WP Job Portal plugin active.

📦 What is this software?

Wp Job Portal by Wpjobportal

View all CVEs affecting Wp Job Portal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain employer access to view applicant data, post malicious job listings, or pivot to further attacks on the WordPress installation.

🟠

Likely Case

Attackers create fake employer accounts to post spam job listings or harvest applicant information.

🟢

If Mitigated

With proper monitoring and limited plugin functionality, impact is limited to unauthorized employer account creation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available showing simple HTTP request exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.3

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3202327/wp-job-portal/tags/2.2.3/modules/user/controller.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find WP Job Portal. 4. Click 'Update Now' or manually update to version 2.2.3+. 5. Verify update completes successfully.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the WP Job Portal plugin until patched.

wp plugin deactivate wp-job-portal

Restrict Access

all

Use web application firewall to block requests to vulnerable endpoints.

🧯 If You Can't Patch

Implement strict network access controls to limit plugin exposure
Enable detailed logging and monitoring for unauthorized role assignment attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > WP Job Portal version. If version is 2.2.2 or lower, system is vulnerable.

Check Version:

wp plugin get wp-job-portal --field=version

Verify Fix Applied:

Verify plugin version is 2.2.3 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unauthorized POST requests to /wp-admin/admin-ajax.php with action=assignUserRole
Sudden creation of employer role accounts from unfamiliar IPs

Network Indicators:

HTTP POST requests to admin-ajax.php with assignUserRole parameter from unauthenticated sources

SIEM Query:

source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="assignUserRole"

📊 Metadata

CVE ID: CVE-2024-11715

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-862

Published: December 14, 2024

Last Updated: February 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11715, you might also want to check these: