CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13772 – Civi - Job Board & Freelance Marketplace WordPress Theme <= 2.1.4 - Authentication Bypass via Non-Randomized Password for SSO Accounts
https://notcve.org/view.php?id=CVE-2024-13772
13 Mar 2025 — The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of randomization of a password created during Single Sign-On via Google or Facebook. This makes it possible for unauthenticated attackers to change the password of arbitrary Candidate-level users if the attacker knows the username assigned to the victim during account creation. • http://localhost:1337/wp-content/themes/civi/includes/class-ajax.php#L567 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13773 – Civi - Job Board & Freelance Marketplace WordPress Theme <= 2.1.4 - Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2024-13773
13 Mar 2025 — The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4 via hard-coded credentials. This makes it possible for unauthenticated attackers to extract sensitive data including LinkedIn client and secret keys. • http://localhost:1337/wp-content/themes/civi/includes/class-init.php#L36 • CWE-321: Use of Hard-coded Cryptographic Key •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13771 – Civi - Job Board & Freelance Marketplace WordPress Theme <= 2.1.4 - Authentication Bypass via Password Update
https://notcve.org/view.php?id=CVE-2024-13771
13 Mar 2025 — The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of user validation before changing a password. This makes it possible for unauthenticated attackers to change the password of arbitrary users, including administrators, if the attacker knows the username of the victim. • http://localhost:1337/wp-content/themes/civi/includes/class-ajax.php#L715 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •