Home

Description

The JobSearch WP Job Board plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.9.2. This is due to improper configurations in the 'jobsearch_xing_response_data_callback', 'set_access_tokes', and 'google_callback' functions. This makes it possible for unauthenticated attackers to log in as the first connected Xing user, or any connected Xing user if the Xing id is known. It is also possible for unauthenticated attackers to log in as the first connected Google user if the user has logged in, without subsequently logging out, in thirty days. The vulnerability was partially patched in version 2.8.4.

PUBLISHED Reserved 2024-11-27 | Published 2025-04-25 | Updated 2026-04-08 | Assigner Wordfence




HIGH: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-287 Improper Authentication

Product status

Default status
unaffected

Any version
affected

Timeline

2025-04-24:Disclosed

Credits

Friderika Baranyai finder

References

www.wordfence.com/...-8715-4f9c-9f2f-df60dd1cc579?source=cve

codecanyon.net/...rch-wp-job-board-wordpress-plugin/21066856

cve.org (CVE-2024-11917)

nvd.nist.gov (CVE-2024-11917)

Download JSON