CVE-2024-11284
Published: 14 March 2025
Summary
CVE-2024-11284 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Chimpgroup Jobcareer. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations preventing unauthenticated attackers from updating arbitrary user passwords via the flawed account_settings_save_callback() function.
Requires identity validation and secure processes for managing authenticators like passwords, directly countering unauthorized password changes.
Mandates validation of user identity and approval processes prior to account modifications such as password updates, mitigating account takeover risks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin enables remote unauthenticated exploitation for initial access (T1190), direct privilege escalation via account takeover (T1068), and abuse of valid accounts (T1078).
NVD Description
The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.9. This is due to the plugin not properly validating a user's identity prior to updating their password through…
more
the account_settings_save_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Deeper analysisAI
CVE-2024-11284 is a privilege escalation vulnerability via account takeover in the WP JobHunt plugin for WordPress, affecting all versions up to and including 6.9. The issue arises because the plugin does not properly validate a user's identity prior to updating their password through the account_settings_save_callback() function, allowing unauthorized password changes. Published on 2025-03-14, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-639 (Authorization Bypass Through User-Controlled Key).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction or privileges required. By targeting the flawed callback function, they can reset the passwords of arbitrary users, including administrators, enabling full account takeover and potential complete compromise of the affected WordPress site.
Advisories provide further details on the issue, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/8afe386e-1e4f-4668-8309-6d47dedb008a?source=cve and the plugin's ThemeForest page at https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636.
Details
- CWE(s)