Vulnerability in Simple Job Board Plugin Allows PHP Object Injection
CVE-2024-7351

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Simple Job Board
Vendor: CVE Published:; 24 August 2024

Summary

The Simple Job Board plugin for WordPress is susceptible to PHP Object Injection due to flawed deserialization of untrusted input when job applications are edited. This vulnerability affects all versions up to and including 2.12.3 and enables authenticated attackers with Editor-level access or higher to manipulate PHP objects. While no known PHP Object Pollution (POP) chain exists within the vulnerable version of the plugin, the presence of an additional plugin or theme on the same system could potentially allow attackers to delete arbitrary files, access sensitive information, or execute malicious code, posing significant risks to affected websites.

Affected Version(s)

Simple Job Board * <= 2.12.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 24, 2024
Vulnerability Reserved
Jul 31, 2024

Credit

Francesco Carlucci