CVE-2024-11283 in WP JobHunt Plugin
Summary
by MITRE • 03/14/2025
The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to wp_ajax_google_api_login_callback function not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to access arbitrary candidate accounts.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/08/2025
The WP JobHunt plugin for WordPress presents a critical authentication bypass vulnerability identified as CVE-2024-11283 affecting all versions up to and including 7.1. This flaw resides within the wp_ajax_google_api_login_callback function which fails to adequately validate user identities before granting authentication access. The vulnerability represents a significant security weakness that directly undermines the plugin's access control mechanisms and compromises the integrity of candidate account protection.
The technical implementation of this vulnerability stems from insufficient input validation and authentication checks within the Google API login callback handler. When the wp_ajax_google_api_login_callback function processes authentication requests, it does not properly verify that the incoming authentication token corresponds to a legitimate user account or that the authentication request originates from a trusted source. This failure creates a pathway for malicious actors to manipulate the authentication flow and gain unauthorized access to candidate accounts without proper credentials. The vulnerability operates at the application layer and specifically targets the plugin's authentication logic, making it particularly dangerous for job hunting platforms that store sensitive candidate information.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it enables attackers to potentially compromise sensitive candidate data including personal information, resumes, and application details. Attackers can exploit this flaw to access arbitrary candidate accounts, which may contain confidential information such as contact details, employment history, and other personal data. This vulnerability particularly affects organizations using WordPress-based job portals where the WP JobHunt plugin manages candidate profiles and application processes. The authentication bypass allows for persistent unauthorized access that could remain undetected for extended periods, potentially leading to data breaches, identity theft, or other malicious activities.
Organizations should immediately implement mitigations including updating to the latest version of the WP JobHunt plugin where this vulnerability has been addressed. The recommended approach involves applying the vendor-supplied patch or upgrade to version 7.2 or later, which contains proper authentication verification mechanisms. Additionally, administrators should review and audit existing candidate account access logs to identify any suspicious activity that may have occurred during the vulnerability window. Security monitoring should be enhanced to detect anomalous authentication patterns and unauthorized access attempts. This vulnerability aligns with CWE-287 which addresses improper authentication issues, and maps to ATT&CK technique T1078 for valid accounts usage, emphasizing the need for robust authentication controls and continuous monitoring of access patterns.