CVE-2024-11917

HIGH

JobSearch WP Job Board <2.9.2 - Auth Bypass

Title source: llm

Description

The JobSearch WP Job Board plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.9.2. This is due to improper configurations in the 'jobsearch_xing_response_data_callback', 'set_access_tokes', and 'google_callback' functions. This makes it possible for unauthenticated attackers to log in as the first connected Xing user, or any connected Xing user if the Xing id is known. It is also possible for unauthenticated attackers to log in as the first connected Google user if the user has logged in, without subsequently logging out, in thirty days. The vulnerability was partially patched in version 2.8.4.

References (2)

Core 2

Core References

Various Sources

https://codecanyon.net/item/jobsearch-wp-job-board-wordpress-plugin/21066856

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/6de8a608-8715-4f9c-9f2f-df60dd1cc579?source=cve

Scores

CVSS v3 8.1

EPSS 0.0045

EPSS Percentile 35.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-287

Status published

Products (1)

eyecix/JobSearch WP Job Board < 2.9.2

Published Apr 25, 2025

Tracked Since Feb 18, 2026