CVE-2020-35749
published 2021-01-15CVE-2020-35749: Directory traversal vulnerability in class-simple_job_board_resume_download_handler.php in the Simple Board Job plugin 2.9.3 and earlier for WordPress allows…
PriorityP266high7.7CVSS 3.1
AVNACLPRLUINSCCHINAN
EXPLOIT
EPSS
30.48%
98.0th percentile
Directory traversal vulnerability in class-simple_job_board_resume_download_handler.php in the Simple Board Job plugin 2.9.3 and earlier for WordPress allows remote attackers to read arbitrary files via the sjb_file parameter to wp-admin/post.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| presstigers | simple_board_job | <= 2.9.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
regex: root:[x*]:0:0
- →Monitor GET requests to wp-admin/post.php containing the 'sjb_file' parameter with path traversal sequences (e.g., '../') — this is the direct exploitation vector for the LFI vulnerability. ↗
- →The Metasploit module uses a default traversal depth of 8 (i.e., '../../../../../../../') combined with the sjb_file parameter; alert on 8 or more consecutive '../' sequences in the sjb_file query parameter. ↗
- →Exploitation requires an authenticated session with the 'download_resume' capability (e.g., HR role). Correlate suspicious file-read attempts with recently authenticated low-privilege WordPress users. ↗
- →The exploit posts credentials to /wp-login.php and immediately follows with a GET to /wp-admin/post.php with sjb_file set to a traversal path; detect this two-request sequence (login then immediate LFI attempt) in web logs. ↗
- →The Metasploit module stores loot under the identifier 'Simple_JobBoard.traversal'; hunting for this string in SIEM/EDR logs can reveal Metasploit-based exploitation attempts. ↗
- ·The Nuclei template uses a hardcoded post ID of 372 in the PoC request, but the Metasploit module and Python exploit use 'application_id' as a placeholder. The actual valid post ID will vary per target installation; detection rules should match on the sjb_file parameter regardless of the post ID value. ↗
- ·Exploitation requires authentication; unauthenticated scanning will not trigger the vulnerability. Ensure detection logic accounts for authenticated sessions (valid WordPress auth cookies present in the request). ↗
CVSS provenance
nvdv3.17.7HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion
exploitdb·2022-02-08·CVSS 7.7
CVE-2020-35749 [HIGH] Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion
Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion
---
# Exploit Title: Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion
# Date: 2022-02-06
# Exploit Author: Ven3xy
# Vendor Homepage: https://wordpress.org/plugins/simple-job-board/
# Software Link: https://downloads.wordpress.org/plugin/simple-job-board.2.9.3.zip
# Version: 2.9.3
# Tested on: Ubuntu 20.04 LTS
# CVE : CVE-2020-35749
import requests
import sys
import time
class color:
HEADER = '\033[95m'
IMPORTANT = '\33[35m'
NOTICE = '\033[33m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
RED = '\033[91m'
END = '\033[0m'
UNDERLINE = '\033[4m'
LOGGING = '\33[34m'
color_random=[color.HEADER,color.IMPORTANT,color.NOTICE,color.OKBLUE,color.OKGREEN,color.WARNING,color.RED,color.END,color.UNDERLINE,
Exploit-DB
Wordpress Plugin Simple Job Board 2.9.3 - Authenticated File Read (Metasploit)
exploitdb·2021-01-21·CVSS 7.7
CVE-2020-35749 [HIGH] Wordpress Plugin Simple Job Board 2.9.3 - Authenticated File Read (Metasploit)
Wordpress Plugin Simple Job Board 2.9.3 - Authenticated File Read (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Simple JobBoard Authenticated File Read Vulnerability',
'Description' => %q{
This module exploits an authenticated directory traversal vulnerability in WordPress plugin 'Simple JobBoard '
[
'Arcangelo Saracino', # Vulnerability discovery
'Hoa Nguyen - Suncsr Team', # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2020-35749'],
['WPVDB', 'eed3bd69-2faf-4bc9-915c-c36211ef9e2d'],
['URL','https://arkango.github.io/CVE-2020/CVE-2020-35749%20DIr.%20Traversal%20Simple%20Board%20Job%20Wordpress%20plugin.html']
],
'DisclosureDat
Nuclei
WordPress Simple Job Board <2.9.4 - Local File Inclusion
nuclei·CVSS 7.7
CVE-2020-35749 [HIGH] WordPress Simple Job Board <2.9.4 - Local File Inclusion
WordPress Simple Job Board <2.9.4 - Local File Inclusion
WordPress Simple Job Board prior to version 2.9.4 is vulnerable to arbitrary file retrieval vulnerabilities because it does not validate the sjb_file parameter when viewing a resume, allowing an authenticated user with the download_resume capability (such as HR users) to download arbitrary files from the web-server via local file inclusion.
Template:
id: CVE-2020-35749
info:
name: WordPress Simple Job Board <2.9.4 - Local File Inclusion
author: cckuailong
severity: high
description: WordPress Simple Job Board prior to version 2.9.4 is vulnerable to arbitrary file retrieval vulnerabilities because it does not validate the sjb_file parameter when viewing a resume, allowing an authenticated user with the download_resume capability (
No writeups or analysis indexed.
http://packetstormsecurity.com/files/161050/Simple-JobBoard-Authenticated-File-Read.htmlhttp://packetstormsecurity.com/files/165892/WordPress-Simple-Job-Board-2.9.3-Local-File-Inclusion.htmlhttps://docs.google.com/document/d/1TbePkrRGsczepBaJptIdVRvfRrjiC5hjGg_Vxdesw6E/edit?usp=sharinghttp://packetstormsecurity.com/files/161050/Simple-JobBoard-Authenticated-File-Read.htmlhttp://packetstormsecurity.com/files/165892/WordPress-Simple-Job-Board-2.9.3-Local-File-Inclusion.htmlhttps://docs.google.com/document/d/1TbePkrRGsczepBaJptIdVRvfRrjiC5hjGg_Vxdesw6E/edit?usp=sharing
2021-01-15
Published