WordPress JobSearch WP Job Board plugin fixed vulnerability.

The WordPress JobSearch WP Job Board plugin (1,600+ sales on Envato) fixed a broken access control vulnerability in version 1.8.1 and below that could allow users to take over the website and its database.

Authenticated Arbitrary WordPress Options Change

CVSS v3.1: 8.8 (High)

In the “wp-jobsearch/includes/classes/class-job-import-integrations.php” script line 15, the plugin registers the jobsearch_job_integrations_settin_save AJAX action to load the integrations_settin_save function:

add_action('wp_ajax_jobsearch_job_integrations_settin_save', array($this, 'integrations_settin_save'));

That function is used to save the plugin’s settings to the database:

public function integrations_settin_save()
{

   if (isset($_POST['action']) && $_POST['action'] == 'jobsearch_job_integrations_settin_save') {
      foreach ($_POST as $post_key => $post_val) {
         if ($post_key != 'action') {
            update_option($post_key, $post_val);
          }
      }

      echo json_encode(array('msg' => esc_html__('Settings Saved', 'wp-jobsearch')));
      die;
   }
}

It takes any key/value pairs found in the POST payload and saves them to the WordPress options table. The data isn’t validated and the function doesn’t verify that the user is allowed to access it. It also lacks a security nonce to prevent cross-site request forgery attacks.
An unauthenticated user can sign up for a candidate or employer account and, using the authentication cookie, can modify every WordPress options in the database, for instance, to create an administrator account or redirect all traffic to an external malicious website among many other possibilities.

Unauthenticated Settings Change

CVSS v3.1: 5.3 (Medium)

In the “wp-jobsearch/modules/locations/include/location-settings.php” line 23, the plugin registers the save_locsettings function with the init hook, i.e., each time WordPress loads:

 23  add_action('init', array($this, 'save_locsettings'), 30);
...
...
1246  public function save_locsettings()
1247  {
1248     if (isset($_POST['jobsearch_allocs_setingsubmit']) && $_POST['jobsearch_allocs_setingsubmit'] == '1') {
1249        $data_arr_list = array();
1250        foreach ($_POST as $post_key => $post_val) {
1251           $data_arr_list[$post_key] = $post_val;
1252        }
1253        update_option('jobsearch_locsetin_options', $data_arr_list);
1254     }
1255  }

The function is accessible to anyone, authenticated or not.
An unauthenticated user can change the plugin’s settings.

Additional Issues

The jobsearch_add_job_import_schedule_call and jobsearch_update_job_import_schedule_call AJAX actions were accessible to all authenticated users and lacked security nonces.

Recommendations

Update immediately if you have version 1.8.1 or below installed. If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.

Timeline

The issue was reported to Envato on September 22, 2021, and a new version 1.8.2 was released on September 24, 2021.

Stay informed about the latest vulnerabilities