CVE-2024-11917

EUVD-2025-12543

25.04.2025, 12:15

The JobSearch WP Job Board plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.9.2. This is due to improper configurations in the 'jobsearch_xing_response_data_callback', 'set_access_tokes', and 'google_callback' functions. This makes it possible for unauthenticated attackers to log in as the first connected Xing user, or any connected Xing user if the Xing id is known. It is also possible for unauthenticated attackers to log in as the first connected Google user if the user has logged in, without subsequently logging out, in thirty days. The vulnerability was partially patched in version 2.8.4.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
Wordfence	CNA	8.1 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 57%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
eyecix	jobsearch_wp_job_board	𝑥 ≤ 2.9.2	CNA

Common Weakness Enumeration

CWE-287 - Improper Authentication
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

References

https://codecanyon.net/item/jobsearch-wp-job-board-wordpress-plugin/21066856

https://www.wordfence.com/threat-intel/vulnerabilities/id/6de8a608-8715-4f9c-9f2f-df60dd1cc579?source=cve