CVE-2022-4061: 
WordPress vulnerability analysis and mitigation

The JobBoardWP WordPress plugin before version 1.2.2 contains a critical security vulnerability identified as CVE-2022-4061. The vulnerability was discovered and publicly disclosed on November 28, 2022. This security flaw affects the file upload functionality of the plugin, which fails to properly validate file names and types, potentially exposing WordPress installations to unauthorized file uploads (WPScan).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The security flaw exists in the file upload functionality where the plugin fails to implement proper validation for file names and types, particularly in the company logo upload feature. This vulnerability allows unauthenticated users to bypass intended restrictions and upload arbitrary files, including PHP files, despite them being disguised with different extensions (NVD).

The vulnerability allows unauthenticated attackers to upload arbitrary files, including malicious PHP files, to the WordPress installation. This could lead to remote code execution on the affected server, potentially allowing attackers to take control of the website or execute unauthorized commands (WPScan).

The vulnerability has been fixed in JobBoardWP version 1.2.2. Website administrators running affected versions should immediately upgrade to version 1.2.2 or later to protect their installations (WPScan).