Unrestricted Upload of File with Dangerous Type vulnerability in HM Plugin WordPress Job Board and Recruitment Plugin – JobWP.This issue affects WordPress Job Board and Recruitment Plugin – JobWP: from n/a through 2.0.
The vulnerability classified as CWE-434 consists of the lack of proper validation and restrictions on the types of uploaded files. An unauthenticated attacker can remotely upload an executable file (e.g., PHP webshell) to the WordPress server. Once the malicious file is placed, it is possible to execute it directly in the context of the web server, which leads to full takeover of control over the application and system.
An attacker can gain full control over the server, including reading and modifying sensitive data, installing backdoors, and the ability to perform further lateral movement within the infrastructure. The scope of compromise includes confidentiality, integrity, and availability of the system to a critical degree.
The JobWP plugin should be immediately updated to a version higher than 2.0 through the WordPress admin panel or apply patches available from the vendor according to references published by Patchstack. Until the update is applied, consider disabling the plugin.
WordPress Job Board and Recruitment Plugin – JobWP in versions from the beginning of the plugin's existence through version 2.0 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HHmplugin Jobwp
APPHmplugin≤ 2.0
Related vulnerabilities
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HM Plugin WordPress Job Board and ...
The HM Multiple Roles WordPress plugin before 1.3 does not have any access control to prevent low privilege us...
Missing Authorization vulnerability in Hossni Mubarak AidWP wp-stripe-donation allows Exploiting Incorrectly C...
Cross-Site Request Forgery (CSRF) vulnerability in HM Plugin WordPress Books Gallery plugin <= 4.4.8 versions.
Cross-Site Request Forgery (CSRF) vulnerability in HM Plugin Accept Stripe Donation – AidWP plugin <= 3.1.5 ve...