प्लेटफ़ॉर्म
wordpress
घटक
wp-job-portal
में ठीक किया गया
2.1.7
CVE-2024-7950 is a critical vulnerability affecting the WP Job Portal plugin for WordPress. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, leading to potential code execution and data compromise. The vulnerability impacts versions of the plugin up to and including 2.1.6. A patch is expected to be released by the vendor.
The impact of CVE-2024-7950 is severe. An attacker exploiting this vulnerability can leverage Local File Inclusion (LFI) to include and execute arbitrary PHP code. This effectively bypasses access controls, allowing the attacker to read sensitive files, modify plugin settings, and create new user accounts with administrative privileges. The ability to execute arbitrary code opens the door to complete server compromise, including data exfiltration, malware installation, and denial-of-service attacks. The arbitrary settings update capability allows attackers to modify plugin configurations, potentially creating backdoors or further compromising the system. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to gain unauthorized access and control.
CVE-2024-7950 was publicly disclosed on 2024-09-04. The vulnerability's severity is high due to the ease of exploitation and potential impact. Public proof-of-concept (PoC) code is likely to emerge quickly given the vulnerability type. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns. The vulnerability has not yet been added to the CISA KEV catalog.
Websites using the WP Job Portal plugin, particularly those running older, unpatched versions (≤2.1.6), are at significant risk. Shared hosting environments where multiple websites share the same server are particularly vulnerable, as a compromise of one site could potentially lead to the compromise of others. Sites with weak file permissions or inadequate WAF protection are also at increased risk.
• wordpress / composer / npm:
grep -r 'checkFormRequest' /var/www/html/wp-content/plugins/wp-job-portal/• wordpress / composer / npm:
wp plugin list | grep "wp-job-portal"• wordpress / composer / npm:
wp plugin update wp-job-portal• generic web: Check WordPress plugin directory for updates to WP Job Portal. • generic web: Review WordPress server access logs for suspicious file inclusion attempts.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.69% (72% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2024-7950 is to immediately upgrade the WP Job Portal plugin to a patched version as soon as it becomes available. Until a patch is released, consider temporarily disabling the plugin to reduce the attack surface. As a temporary workaround, restrict file access permissions on the WordPress server to prevent the inclusion of arbitrary files. Implement a Web Application Firewall (WAF) with rules to block attempts to include files outside of designated directories. Regularly review WordPress plugin configurations and user accounts for any unauthorized changes. After upgrading, verify the fix by attempting to access restricted files via the plugin's vulnerable functions; access should be denied.
WP Job Portal प्लगइन को नवीनतम उपलब्ध संस्करण में अपडेट करें। भेद्यता अनधिकृत स्थानीय फ़ाइल समावेशन, मनमाना सेटिंग्स अपडेट और उपयोगकर्ता निर्माण की अनुमति देती है। 2.1.6 से बाद के संस्करण में अपडेट करने से इन समस्याओं का समाधान हो जाएगा।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-7950 is a critical vulnerability in the WP Job Portal WordPress plugin allowing unauthenticated attackers to include and execute arbitrary files, update settings, and create users.
You are affected if you are using the WP Job Portal plugin version 2.1.6 or earlier. Immediately assess your environment and take action.
Upgrade the WP Job Portal plugin to the latest available version as soon as a patch is released. Temporarily disable the plugin as a workaround until the patch is applied.
While active exploitation has not been confirmed, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted soon. Monitor security advisories.
Check the WP Job Portal plugin's official website and WordPress plugin repository for updates and security advisories related to CVE-2024-7950.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।