CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
What the vulnerability does
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to unauthorized modification of data due to a missing capability check on the 'cs_update_application_status_callback' function in all versions up to, and including, 7.7. This makes it possible for authenticated attackers, with Candidate-level access and above, to inject cross-site scripting into the 'status' parameter of applied jobs for any user.
Explanation of Vulnerability in Simple Terms
WP JobHunt versions 7.7 and earlier lack proper authorization checks, allowing authenticated users to read sensitive data and make unauthorized changes to the site. An attacker with a low-privilege account can access confidential information and modify content without proper permission. Update to a version newer than 7.7 to resolve this issue.
What an attacker can do
Read sensitive data and make unauthorized changes to the site with a low-privilege account.
Potential impact on your site
Unauthorized users can access confidential information and modify site content or settings.
Conditions required to exploit
Attacker must have a valid low-privilege user account on the site.
Key dates
External resources
Related vulnerabilities
