CVE-2024-13873 in WP Job Portal Plugin
Summary
by MITRE • 02/22/2025
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.8 via the deleteUserPhoto() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to remove profile photos from users accounts. Please note that this does not officially delete the file.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/22/2025
The vulnerability identified as CVE-2024-13873 affects the WP Job Portal plugin for WordPress, specifically targeting versions up to and including 2.2.8. This security flaw represents a critical Insecure Direct Object Reference (IDOR) vulnerability that undermines the integrity of user account management within the plugin's functionality. The issue manifests through the deleteUserPhoto() function which fails to properly validate user-controlled input parameters, creating a pathway for unauthorized manipulation of user profile data.
The technical implementation of this vulnerability stems from insufficient input validation within the plugin's core codebase, where the deleteUserPhoto() function accepts direct object references without proper authorization checks or sanitization. This allows authenticated users with Subscriber-level privileges or higher to manipulate the system by providing crafted parameters that reference other users' profile photos. The vulnerability operates at the application logic level rather than exploiting cryptographic weaknesses or network protocols, making it particularly dangerous as it leverages legitimate system functionality to achieve unauthorized access.
From an operational perspective, this vulnerability creates significant risks for organizations relying on the WP Job Portal plugin for recruitment management. Attackers with minimal privileges can exploit this weakness to remove profile photographs from other users' accounts, potentially disrupting the user experience and creating confusion within the recruitment platform. The impact extends beyond simple data manipulation as it can be used to degrade service quality, interfere with job application processes, or potentially serve as a stepping stone for more sophisticated attacks. The vulnerability does not result in complete file deletion but rather removes the photo association from user profiles, which still constitutes a meaningful security breach.
The vulnerability aligns with CWE-284, which specifically addresses Insecure Direct Object Reference issues, and demonstrates how insufficient access control mechanisms can enable privilege escalation through legitimate system functions. From an ATT&CK framework perspective, this vulnerability maps to T1078 Valid Accounts and T1566 Phishing, as it allows attackers to leverage existing user accounts to perform unauthorized actions within the system. Organizations should immediately implement mitigations including updating to the latest plugin version, implementing proper input validation, and establishing additional access controls to prevent unauthorized users from manipulating other accounts' profile data.
Security practitioners should prioritize this vulnerability due to its low attack threshold and potential for service disruption. The fix requires implementing proper authentication checks and input sanitization within the deleteUserPhoto() function, ensuring that only authorized users can modify their own profile photos or that administrators have appropriate oversight controls. Organizations should also conduct comprehensive audits of their WordPress plugin ecosystem to identify similar vulnerabilities and establish robust monitoring protocols to detect unauthorized account manipulations. The vulnerability underscores the importance of implementing proper access control mechanisms and input validation in web applications, particularly those handling user profile data and recruitment information.