The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 7.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email via the account_settings_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
The account_settings_callback() function does not properly verify user identity before updating their data. An unauthenticated attacker can call this function and change the email address of any account, including the administrator account. After changing the email address, the attacker initiates a standard password reset procedure to a new address controlled by them, and then gains full access to the compromised account (privilege escalation through account takeover).
An attacker can take full control of any WordPress account, including the administrator account, resulting in complete site takeover – ability to modify content, install backdoors, and steal user data.
Update the WP JobHunt plugin to a version higher than 7.1 as soon as possible. Details regarding available patches should be verified in the producer's references (Wordfence and ThemeForest).
The WP JobHunt plugin for WordPress in all versions up to and including 7.1, used in conjunction with the Jobcareer theme (Chimpgroup).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HChimpgroup Jobcareer
APPChimpgroup≤ 7.1
Related vulnerabilities
WP JobHunt: nieuwierzytelnione przejęcie konta i privilege escalation
Authentication bypass w WP JobHunt – przejęcie konta administratora
The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and includin...
The JobCareer | Job Board Responsive WordPress Theme theme for WordPress is vulnerable to unauthorized access,...
PHP Object Injection w pluginie WordPress FoodBakery (do wersji 3.3)