CVE-2024-12131: 
WordPress vulnerability analysis and mitigation

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress contains an Insecure Direct Object Reference vulnerability (CVE-2024-12131) affecting all versions up to and including 2.2.5. The vulnerability was discovered and disclosed on January 7, 2025, and was reported by Wordfence (Wordfence Advisory).

The vulnerability stems from missing validation on a user-controlled key in the plugin's job application system. It has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The weakness is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) (NVD).

This vulnerability allows authenticated attackers with Subscriber-level access or higher to submit resumes for other applicants when applying for jobs. This could lead to unauthorized submission of job applications on behalf of other users, potentially compromising the integrity of the job application process (NVD).

Users are advised to update to version 2.2.6 or later of the WP Job Portal plugin, which contains fixes for this vulnerability (WordPress Plugin).