CVE-2024-11285
Published: 14 March 2025
Summary
CVE-2024-11285 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Chimpgroup Jobcareer. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations before allowing updates to user account details like email addresses, directly preventing unauthorized modifications via the account_settings_callback() function.
Implements least privilege to restrict unauthenticated attackers from performing privileged actions such as changing administrator email addresses, mitigating privilege escalation.
Manages account modifications with validation and approval processes to ensure only authorized changes to user details like email, reducing risks of account takeover.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of a public-facing WordPress application (T1190), direct unauthorized manipulation of user account details like email addresses (T1098), and subsequent takeover of valid accounts including administrators (T1078).
NVD Description
The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 7.1. This is due to the plugin not properly validating a user's identity prior to updating their details like…
more
email via the account_settings_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Deeper analysisAI
CVE-2024-11285 is a critical privilege escalation vulnerability affecting the WP JobHunt plugin for WordPress in all versions up to and including 7.1. The flaw stems from the plugin's account_settings_callback() function failing to properly validate a user's identity before allowing updates to account details, such as email addresses. This authorization bypass, mapped to CWE-639, enables unauthorized modifications without authentication, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By targeting the account settings endpoint, they can arbitrarily change any user's email address, including those of administrators, then leverage the altered email to initiate a password reset process. Successful exploitation results in full account takeover, granting attackers high confidentiality, integrity, and availability impacts, such as unauthorized access to privileged accounts and potential further compromise of the WordPress site.
Advisories from sources like Wordfence provide detailed threat intelligence on the vulnerability, while the plugin's listing on ThemeForest offers context on the affected JobCareer theme integration. Practitioners should consult these references for patch availability, as the description indicates no built-in mitigations in vulnerable versions, and updating to a fixed release beyond 7.1 is implied as the primary remediation.
Details
- CWE(s)