cbcvebase.
CVE-2020-35749
published 2021-01-15

CVE-2020-35749: Directory traversal vulnerability in class-simple_job_board_resume_download_handler.php in the Simple Board Job plugin 2.9.3 and earlier for WordPress allows…

PriorityP266high7.7CVSS 3.1
AVNACLPRLUINSCCHINAN
EXPLOIT
EPSS
30.48%
98.0th percentile
Directory traversal vulnerability in class-simple_job_board_resume_download_handler.php in the Simple Board Job plugin 2.9.3 and earlier for WordPress allows remote attackers to read arbitrary files via the sjb_file parameter to wp-admin/post.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
presstigerssimple_board_job<= 2.9.3

Detection & IOCsextracted from sources · hover to see the quote

path/wp-admin/post.php?post=372&action=edit&sjb_file=../../../../etc/passwd
pathwp-admin/post.php?post=application_id&action=edit&sjb_file=
yara
regex: root:[x*]:0:0
  • Monitor GET requests to wp-admin/post.php containing the 'sjb_file' parameter with path traversal sequences (e.g., '../') — this is the direct exploitation vector for the LFI vulnerability.
  • The Metasploit module uses a default traversal depth of 8 (i.e., '../../../../../../../') combined with the sjb_file parameter; alert on 8 or more consecutive '../' sequences in the sjb_file query parameter.
  • Exploitation requires an authenticated session with the 'download_resume' capability (e.g., HR role). Correlate suspicious file-read attempts with recently authenticated low-privilege WordPress users.
  • The exploit posts credentials to /wp-login.php and immediately follows with a GET to /wp-admin/post.php with sjb_file set to a traversal path; detect this two-request sequence (login then immediate LFI attempt) in web logs.
  • The Metasploit module stores loot under the identifier 'Simple_JobBoard.traversal'; hunting for this string in SIEM/EDR logs can reveal Metasploit-based exploitation attempts.
  • ·The Nuclei template uses a hardcoded post ID of 372 in the PoC request, but the Metasploit module and Python exploit use 'application_id' as a placeholder. The actual valid post ID will vary per target installation; detection rules should match on the sjb_file parameter regardless of the post ID value.
  • ·Exploitation requires authentication; unauthenticated scanning will not trigger the vulnerability. Ensure detection logic accounts for authenticated sessions (valid WordPress auth cookies present in the request).

CVSS provenance

nvdv3.17.7HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.