Vulnerabilites related to ultimatemember - jobboardwp
CVE-2021-39329 (GCVE-0-2021-39329)
Vulnerability from cvelistv5
Published
2021-10-19 14:14
Modified
2025-02-14 17:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
The JobBoardWP WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/includes/admin/class-metabox.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0.7. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| JobBoardWP | JobBoardWP |
Version: 1.0.7 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:06:42.138Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39329"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/BigTiger2020/word-press/blob/main/JobBoardWP%20%E2%80%93%20Job%20Board%20Listings%20and%20Submissions.md"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/jobboardwp/trunk/includes/admin/class-metabox.php#L165"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-39329",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T17:53:19.455728Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T17:53:28.080Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "JobBoardWP",
"vendor": "JobBoardWP",
"versions": [
{
"lessThanOrEqual": "1.0.7",
"status": "affected",
"version": "1.0.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thinkland Security Team"
}
],
"datePublic": "2021-10-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The JobBoardWP WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/includes/admin/class-metabox.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0.7. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-19T14:14:51.000Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39329"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/BigTiger2020/word-press/blob/main/JobBoardWP%20%E2%80%93%20Job%20Board%20Listings%20and%20Submissions.md"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://plugins.trac.wordpress.org/browser/jobboardwp/trunk/includes/admin/class-metabox.php#L165"
}
],
"solutions": [
{
"lang": "en",
"value": "Uninstall plugin from site."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "JobBoardWP \u2013 Job Board Listings and Submissions \u003c= 1.0.7 Authenticated Stored Cross-Site Scripting",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "Wordfence",
"ASSIGNER": "security@wordfence.com",
"DATE_PUBLIC": "2021-10-15T19:23:00.000Z",
"ID": "CVE-2021-39329",
"STATE": "PUBLIC",
"TITLE": "JobBoardWP \u2013 Job Board Listings and Submissions \u003c= 1.0.7 Authenticated Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "JobBoardWP",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.0.7",
"version_value": "1.0.7"
}
]
}
}
]
},
"vendor_name": "JobBoardWP"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thinkland Security Team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The JobBoardWP WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/includes/admin/class-metabox.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0.7. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39329",
"refsource": "MISC",
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39329"
},
{
"name": "https://github.com/BigTiger2020/word-press/blob/main/JobBoardWP%20%E2%80%93%20Job%20Board%20Listings%20and%20Submissions.md",
"refsource": "MISC",
"url": "https://github.com/BigTiger2020/word-press/blob/main/JobBoardWP%20%E2%80%93%20Job%20Board%20Listings%20and%20Submissions.md"
},
{
"name": "https://plugins.trac.wordpress.org/browser/jobboardwp/trunk/includes/admin/class-metabox.php#L165",
"refsource": "MISC",
"url": "https://plugins.trac.wordpress.org/browser/jobboardwp/trunk/includes/admin/class-metabox.php#L165"
}
]
},
"solution": [
{
"lang": "en",
"value": "Uninstall plugin from site."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2021-39329",
"datePublished": "2021-10-19T14:14:51.612Z",
"dateReserved": "2021-08-20T00:00:00.000Z",
"dateUpdated": "2025-02-14T17:53:28.080Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10880 (GCVE-0-2024-10880)
Vulnerability from cvelistv5
Published
2024-11-23 04:32
Modified
2024-11-23 13:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The JobBoardWP – Job Board Listings and Submissions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ultimatemember | JobBoardWP – Job Board Listings and Submissions |
Version: * ≤ 1.3.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10880",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-23T13:15:10.890192Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-23T13:18:23.457Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "JobBoardWP \u2013 Job Board Listings and Submissions",
"vendor": "ultimatemember",
"versions": [
{
"lessThanOrEqual": "1.3.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Thaleikis"
}
],
"descriptions": [
{
"lang": "en",
"value": "The JobBoardWP \u2013 Job Board Listings and Submissions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg \u0026 remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-23T04:32:18.851Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/07b48c64-aa54-4b9b-b1ee-c0f065e2aaa4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/jobboardwp/tags/1.2.8/includes/admin/class-emails-list-table.php#L168"
},
{
"url": "https://plugins.trac.wordpress.org/browser/jobboardwp/tags/1.2.8/includes/admin/class-emails-list-table.php#L192"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3194143%40jobboardwp\u0026new=3194143%40jobboardwp\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-22T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "JobBoardWP \u2013 Job Board Listings and Submissions \u003c= 1.3.0 - Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-10880",
"datePublished": "2024-11-23T04:32:18.851Z",
"dateReserved": "2024-11-05T16:40:17.251Z",
"dateUpdated": "2024-11-23T13:18:23.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23715 (GCVE-0-2023-23715)
Vulnerability from cvelistv5
Published
2024-12-09 11:31
Modified
2024-12-09 18:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization vulnerability in JobBoardWP JobBoardWP – Job Board Listings and Submissions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JobBoardWP – Job Board Listings and Submissions: from n/a through 1.2.2.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| JobBoardWP | JobBoardWP – Job Board Listings and Submissions |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-23715",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T13:28:34.379630Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T18:40:20.267Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "jobboardwp",
"product": "JobBoardWP \u2013 Job Board Listings and Submissions",
"vendor": "JobBoardWP",
"versions": [
{
"changes": [
{
"at": "1.2.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.2.2",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Fariq Fadillah Gusti Insani (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in JobBoardWP JobBoardWP \u2013 Job Board Listings and Submissions allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects JobBoardWP \u2013 Job Board Listings and Submissions: from n/a through 1.2.2.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in JobBoardWP JobBoardWP \u2013 Job Board Listings and Submissions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JobBoardWP \u2013 Job Board Listings and Submissions: from n/a through 1.2.2."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T11:31:54.341Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/jobboardwp/vulnerability/wordpress-jobboardwp-job-board-listings-and-submissions-plugin-1-2-2-idor-leading-to-job-removal-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress JobBoardWP \u2013 Job Board Listings and Submissions plugin to the latest available version (at least 1.2.3)."
}
],
"value": "Update the WordPress JobBoardWP \u2013 Job Board Listings and Submissions plugin to the latest available version (at least 1.2.3)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress JobBoardWP \u2013 Job Board Listings and Submissions plugin \u003c= 1.2.2 - IDOR Leading To Job Removal Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-23715",
"datePublished": "2024-12-09T11:31:54.341Z",
"dateReserved": "2023-01-17T15:49:20.262Z",
"dateUpdated": "2024-12-09T18:40:20.267Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4061 (GCVE-0-2022-4061)
Vulnerability from cvelistv5
Published
2022-12-19 13:41
Modified
2025-04-17 13:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The JobBoardWP WordPress plugin before 1.2.2 does not properly validate file names and types in its file upload functionalities, allowing unauthenticated users to upload arbitrary files such as PHP.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/fec68e6e-f612-43c8-8301-80f7ae3be665 | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | JobBoardWP |
Version: 0 < 1.2.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:27:54.227Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/fec68e6e-f612-43c8-8301-80f7ae3be665"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-4061",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T13:55:32.815453Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T13:56:00.263Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "JobBoardWP",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.2.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "cydave"
}
],
"descriptions": [
{
"lang": "en",
"value": "The JobBoardWP WordPress plugin before 1.2.2 does not properly validate file names and types in its file upload functionalities, allowing unauthenticated users to upload arbitrary files such as PHP."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-19T13:41:42.453Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/fec68e6e-f612-43c8-8301-80f7ae3be665"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "JobBoardWP \u003c 1.2.2 - Unauthenticated Arbitrary File Upload",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-4061",
"datePublished": "2022-12-19T13:41:42.453Z",
"dateReserved": "2022-11-18T18:44:27.247Z",
"dateUpdated": "2025-04-17T13:56:00.263Z",
"requesterUserId": "dc9e157c-ddf1-4983-adaf-9f01d16b5e04",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2022-12-19 14:15
Modified
2025-04-17 14:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
The JobBoardWP WordPress plugin before 1.2.2 does not properly validate file names and types in its file upload functionalities, allowing unauthenticated users to upload arbitrary files such as PHP.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/fec68e6e-f612-43c8-8301-80f7ae3be665 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/fec68e6e-f612-43c8-8301-80f7ae3be665 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ultimatemember | jobboardwp | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ultimatemember:jobboardwp:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "93F7F62B-A7CA-400B-B6E2-F04A47D6C611",
"versionEndExcluding": "1.2.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The JobBoardWP WordPress plugin before 1.2.2 does not properly validate file names and types in its file upload functionalities, allowing unauthenticated users to upload arbitrary files such as PHP."
},
{
"lang": "es",
"value": "El complemento JobBoardWP de WordPress anterior a 1.2.2 no valida correctamente los nombres y tipos de archivos en sus funcionalidades de carga de archivos, lo que permite a usuarios no autenticados cargar archivos arbitrarios como PHP."
}
],
"id": "CVE-2022-4061",
"lastModified": "2025-04-17T14:15:24.983",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-12-19T14:15:12.013",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/fec68e6e-f612-43c8-8301-80f7ae3be665"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/fec68e6e-f612-43c8-8301-80f7ae3be665"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified"
}
Vulnerability from fkie_nvd
Published
2021-10-19 15:15
Modified
2024-11-21 06:19
Severity ?
5.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
The JobBoardWP WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/includes/admin/class-metabox.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0.7. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ultimatemember | jobboardwp | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ultimatemember:jobboardwp:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0B61CFA2-F236-4CE6-A59F-E098998CDDEF",
"versionEndIncluding": "1.0.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The JobBoardWP WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/includes/admin/class-metabox.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0.7. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled."
},
{
"lang": "es",
"value": "El plugin JobBoardWP de WordPress es vulnerable a un ataque de tipo Cross-Site Scripting Almacenado debido a una comprobaci\u00f3n y saneamiento insuficiente de entradas por medio de varios par\u00e1metros encontrados en el archivo ~/includes/admin/class-metabox.php que permit\u00edan a atacantes con acceso de usuario administrativo inyectar scripts web arbitrarios, en versiones hasta la 1.0.7 incluy\u00e9ndola. Esto afecta a las instalaciones multisitio en las que unfiltered_html est\u00e1 deshabilitado para los administradores, y a los sitios en los que unfiltered_html est\u00e1 deshabilitado"
}
],
"id": "CVE-2021-39329",
"lastModified": "2024-11-21T06:19:15.123",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-19T15:15:07.810",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/BigTiger2020/word-press/blob/main/JobBoardWP%20%E2%80%93%20Job%20Board%20Listings%20and%20Submissions.md"
},
{
"source": "security@wordfence.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/browser/jobboardwp/trunk/includes/admin/class-metabox.php#L165"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39329"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/BigTiger2020/word-press/blob/main/JobBoardWP%20%E2%80%93%20Job%20Board%20Listings%20and%20Submissions.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://plugins.trac.wordpress.org/browser/jobboardwp/trunk/includes/admin/class-metabox.php#L165"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39329"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@wordfence.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-23 05:15
Modified
2025-07-12 00:42
Severity ?
Summary
The JobBoardWP – Job Board Listings and Submissions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ultimatemember | jobboardwp | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ultimatemember:jobboardwp:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "B247E3D8-D00E-479C-8860-9F97D22AF4EF",
"versionEndExcluding": "1.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The JobBoardWP \u2013 Job Board Listings and Submissions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg \u0026 remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
},
{
"lang": "es",
"value": "El complemento JobBoardWP \u2013 Job Board Listings and Submissions para WordPress es vulnerable a ataques de cross-site scripting reflejado debido al uso de add_query_arg y remove_query_arg sin el escape adecuado en la URL en todas las versiones hasta la 1.3.0 incluida. Esto permite que atacantes no autenticados inyecten secuencias de comandos web arbitrarias en p\u00e1ginas que se ejecutan si logran enga\u00f1ar a un usuario para que realice una acci\u00f3n como hacer clic en un enlace."
}
],
"id": "CVE-2024-10880",
"lastModified": "2025-07-12T00:42:52.290",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security@wordfence.com",
"type": "Primary"
}
]
},
"published": "2024-11-23T05:15:06.207",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/jobboardwp/tags/1.2.8/includes/admin/class-emails-list-table.php#L168"
},
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/jobboardwp/tags/1.2.8/includes/admin/class-emails-list-table.php#L192"
},
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3194143%40jobboardwp\u0026new=3194143%40jobboardwp\u0026sfp_email=\u0026sfph_mail="
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/07b48c64-aa54-4b9b-b1ee-c0f065e2aaa4?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@wordfence.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-12-09 13:15
Modified
2025-02-03 14:32
Severity ?
5.2 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Missing Authorization vulnerability in JobBoardWP JobBoardWP – Job Board Listings and Submissions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JobBoardWP – Job Board Listings and Submissions: from n/a through 1.2.2.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ultimatemember | jobboardwp | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ultimatemember:jobboardwp:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "B434A92A-AC23-4BF7-AEC2-B1E0C3839800",
"versionEndIncluding": "1.2.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization vulnerability in JobBoardWP JobBoardWP \u2013 Job Board Listings and Submissions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JobBoardWP \u2013 Job Board Listings and Submissions: from n/a through 1.2.2."
},
{
"lang": "es",
"value": "Vulnerabilidad de autorizaci\u00f3n faltante en JobBoardWP JobBoardWP \u2013 Job Board Listings and Submissions permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a JobBoardWP \u2013 Job Board Listings and Submissions: desde n/a hasta 1.2.2."
}
],
"id": "CVE-2023-23715",
"lastModified": "2025-02-03T14:32:10.613",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 4.2,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-12-09T13:15:20.390",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/wordpress/plugin/jobboardwp/vulnerability/wordpress-jobboardwp-job-board-listings-and-submissions-plugin-1-2-2-idor-leading-to-job-removal-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "audit@patchstack.com",
"type": "Primary"
}
]
}