Remote Password Reset Flaw in WP-jobhunt Plugin by WordPress
CVE-2018-19488

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: WP-jobhunt
Vendor: CVE Published:; 21 March 2019

Summary

The WP-jobhunt plugin for WordPress prior to version 2.4 contains a vulnerability due to inadequate controls on AJAX requests directed at the cs_reset_pass() function. This oversight allows remote attackers, without authentication, to exploit the system and reset user account passwords, potentially compromising user security. Site administrators are encouraged to update to the latest version to mitigate this risk.

References

https://wpvulndb.com/vulnerabilities/9206

x_refsource_MISC

https://github.com/Antho59/wp-jobhunt-exploit

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 21, 2019
Vulnerability Reserved
Nov 23, 2018