CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11283 – WP JobHunt <= 7.1 - Authentication Bypass to Candidate
https://notcve.org/view.php?id=CVE-2024-11283
13 Mar 2025 — The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to wp_ajax_google_api_login_callback function not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to access arbitrary candidate accounts. • https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636 • CWE-289: Authentication Bypass by Alternate Name •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11284 – WP JobHunt <= 7.1 - Unauthenticated Privilege Escalation via Password Reset/Account Takeover
https://notcve.org/view.php?id=CVE-2024-11284
13 Mar 2025 — The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.9. This is due to the plugin not properly validating a user's identity prior to updating their password through the account_settings_save_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. • https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11285 – WP JobHunt <= 7.1 - Unauthenticated Privilege Escalation via Email Update/Account Takeover
https://notcve.org/view.php?id=CVE-2024-11285
13 Mar 2025 — The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 7.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email via the account_settings_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. • https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11286 – WP JobHunt <= 7.1 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2024-11286
13 Mar 2025 — The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the cs_parse_request() function. This makes it possible for unauthenticated attackers to to log in to any user's account, including administrators. • https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 7.5EPSS: 41%CPEs: 1EXPL: 2CVE-2018-19487 – JobCareer | Job Board Responsive WordPress Theme < 2.4 - User Enumeration
https://notcve.org/view.php?id=CVE-2018-19487
04 Dec 2018 — The WP-jobhunt plugin before version 2.4 for WordPress does not control AJAX requests sent to the cs_employer_ajax_profile() function through the admin-ajax.php file, which allows remote unauthenticated attackers to enumerate information about users. El plugin WP-jobhunt, en versiones anteriores a la 2.4 para WordPress, no controla las peticiones AJAX enviadas a la función cs_employer_ajax_profile() mediante el archivo admin-ajax.php, lo que permite que los atacantes remotos no autenticados enumeren informa... • https://github.com/YOLOP0wn/wp-jobhunt-exploit • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 27%CPEs: 1EXPL: 1CVE-2018-19488 – JobCareer | Job Board Responsive WordPress Theme < 2.4 - Unauthenticated Arbitrary Password Reset
https://notcve.org/view.php?id=CVE-2018-19488
04 Dec 2018 — The WP-jobhunt plugin before version 2.4 for WordPress does not control AJAX requests sent to the cs_reset_pass() function through the admin-ajax.php file, which allows remote unauthenticated attackers to reset the password of a user's account. El plugin WP-jobhunt, en versiones anteriores a la 2.4 para WordPress, no controla las peticiones AJAX enviadas a la función cs_reset_pass() mediante el archivo admin-ajax.php, lo que permite que los atacantes remotos no autenticados restablezcan la contraseña de la ... • https://github.com/Antho59/wp-jobhunt-exploit • CWE-640: Weak Password Recovery Mechanism for Forgotten Password CWE-862: Missing Authorization •