This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A critical flaw in the **WP JobHunt** WordPress plugin. <br>π₯ **Consequences**: Attackers can hijack **any user account**, including **Administrators**.β¦
π‘οΈ **Root Cause**: **CWE-639** (Authorization Bypass). <br>β **Flaw**: The `account_settings_save_callback` function fails to properly **verify user identity** before processing changes.
Q3Who is affected? (Versions/Components)
π¦ **Affected Product**: **WP JobHunt** plugin. <br>π **Versions**: **6.9 and earlier**. <br>π **Platform**: WordPress environments running this specific theme/plugin.
Q4What can hackers do? (Privileges/Data)
π **Attacker Actions**: <br>1. Change passwords for **arbitrary users**. <br>2. Take over **Admin accounts**. <br>3. Gain **Full Control** over the WordPress site. <br>4.β¦
π **Public Exploit**: **No PoC provided** in the data. <br>β οΈ **Status**: While no code is public, the **CVSS score is 9.8 (Critical)**. Wild exploitation is highly likely due to low barriers.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: <br>1. Scan for **WP JobHunt** plugin. <br>2. Verify version is **β€ 6.9**. <br>3. Check for unauthorized account settings changes. <br>4. Use WordPress security scanners to detect **CWE-639** patterns.
π¨ **Urgency**: **CRITICAL (P1)**. <br>β±οΈ **Priority**: Patch **IMMEDIATELY**. <br>π **Risk**: CVSS 9.8 means it is nearly as bad as it gets. Zero-day exploitation is a real threat.