CVE-2024-8614

CWE-434 — Unrestricted File Upload3 documents3 sources

Severity

8.8HIGH

EPSS

12.2%

top 6.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Eyecix Jobsearch WP JOB Board

Timeline

PublishedNov 6

Description

The JobSearch WP Job Board plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jobsearch_wp_handle_upload() function in all versions up to, and including, 2.6.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages2 packages

▶NVDeyecix/jobsearch_wp_job_board< 2.6.8

▶CVEListV5eyecix/jobsearch_wp_job_board2.6.7

🔴Vulnerability Details

GHSA

GHSA-xcrw-r9q7-wxcx: The JobSearch WP Job Board plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jobsearch_wp_handle↗2024-11-06

▶

CVEList

WP JobSearch <= 2.6.7 - Authenticated (Subscriber+) Arbitrary File Upload↗2024-11-06

▶