cbcvebase.
CVE-2022-2544
published 2022-08-22

CVE-2022-2544: The Ninja Job Board WordPress plugin before 1.3.3 does not protect the directory where it stores uploaded resumes, making it vulnerable to unauthenticated…

PriorityP354high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
3.16%
86.4th percentile
The Ninja Job Board WordPress plugin before 1.3.3 does not protect the directory where it stores uploaded resumes, making it vulnerable to unauthenticated Directory Listing which allows the download of uploaded resumes.

Affected

1 ranges
VendorProductVersion rangeFixed in
wpmanageninjaninja_job_board< 1.3.31.3.3

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/wp/wp-content/uploads/wpjobboard/
url{{BaseURL}}/wp-content/uploads/wpjobboard/
path/wp-content/uploads/wpjobboard/
  • Detect unauthenticated directory listing of the wpjobboard uploads directory by matching the 'Index of' string in the HTTP response body for the path /wp-content/uploads/wpjobboard/
  • Check for HTTP 200 response with Content-Type text/html when requesting /wp-content/uploads/wpjobboard/ unauthenticated; a successful directory listing response confirms exploitation.
  • ·The vulnerable path may be prefixed with /wp/ depending on the WordPress installation layout; both /wp/wp-content/uploads/wpjobboard/ and /wp-content/uploads/wpjobboard/ should be probed, stopping at first match.
  • ·Vulnerability only affects Ninja Job Board plugin versions prior to 1.3.3; patched in changeset 2758420 via FileHandler.php update.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.