CVE-2024-11283

High

Published: 14 March 2025

Published

14 March 2025

Modified

08 July 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0009 25.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11283 is a high-severity Authentication Bypass by Alternate Name (CWE-289) vulnerability in Chimpgroup Jobcareer. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of the specific authentication bypass flaw in WP JobHunt plugin versions up to 7.1, preventing exploitation.

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Mandates identification and authentication for non-organizational users such as job candidates, directly addressing improper identity verification in the plugin's login callback.

SI-10 Information Input Validation good match

prevent

Enforces information input validation at interfaces like the wp_ajax_google_api_login_callback, preventing authentication bypass by assumed-immutable data.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The authentication bypass in the public-facing WP JobHunt WordPress plugin directly enables remote exploitation of a public-facing application to gain unauthorized access to user accounts and data.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to wp_ajax_google_api_login_callback function not properly verifying a user's identity prior to authenticating them. This makes it possible for…

unauthenticated attackers to access arbitrary candidate accounts.

Deeper analysisAI

CVE-2024-11283 is an authentication bypass vulnerability affecting the WP JobHunt plugin for WordPress in all versions up to and including 7.1. The issue stems from the wp_ajax_google_api_login_callback function, which fails to properly verify a user's identity before authenticating them, as mapped to CWE-289 (Authentication Bypass by Assumed-Immutable Data). This flaw has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its potential for unauthorized data access.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By leveraging the flawed callback function, they can gain access to arbitrary candidate accounts within the plugin, potentially exposing sensitive user data such as resumes, profiles, or job application details.

Mitigation details are outlined in advisories from sources like Wordfence, accessible via their threat intelligence page, and the plugin's listing on ThemeForest. Security practitioners should update to a patched version beyond 7.1 if available and review access logs for suspicious activity on affected sites.