CVE-2024-12132
📋 TL;DR
This vulnerability in the WP Job Portal WordPress plugin allows authenticated users with Subscriber-level access or higher to create job listings for companies they don't own or manage. Attackers can exploit missing validation on user-controlled parameters to post unauthorized job listings. All WordPress sites using this plugin up to version 2.2.4 are affected.
💻 Affected Systems
- WP Job Portal – A Complete Recruitment System for Company or Job Board
📦 What is this software?
Wp Job Portal by Wpjobportal
⚠️ Risk & Real-World Impact
Worst Case
Attackers flood job boards with fraudulent or malicious job postings, damaging company reputation, causing financial losses from fraudulent hiring processes, and potentially enabling phishing campaigns through fake job listings.
Likely Case
Unauthorized job postings appear on company websites, requiring manual cleanup and potentially confusing legitimate job seekers with fake opportunities.
If Mitigated
With proper access controls and monitoring, impact is limited to minor administrative overhead for removing unauthorized posts.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once an attacker obtains Subscriber-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.5
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3210251/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WP Job Portal' and click 'Update Now'. 4. Alternatively, download version 2.2.5+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable user registration
allPrevent new user accounts from being created, eliminating the attack vector for external attackers.
Navigate to WordPress Settings → General → uncheck 'Anyone can register'
Remove Subscriber role job creation capability
allUse a role management plugin to revoke job creation permissions from Subscriber role.
🧯 If You Can't Patch
- Implement strict access controls to limit job creation to trusted administrators only
- Monitor job listings for unauthorized posts and implement approval workflows for all new job postings
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If WP Job Portal version is 2.2.4 or lower, you are vulnerable.Check Version:
wp plugin list --name='wp-job-portal' --field=versionVerify Fix Applied:
After updating, verify plugin version shows 2.2.5 or higher. Test with a Subscriber-level account that job creation for unauthorized companies is blocked.📡 Detection & Monitoring
Log Indicators:
- Multiple job creation attempts from Subscriber accounts
- Job posts with mismatched company-user relationships in plugin logs
Network Indicators:
- Unusual job posting patterns from non-admin accounts
SIEM Query:
source="wordpress" AND (plugin="wp-job-portal" AND action="create_job" AND user_role="subscriber")