CVE-2024-13371: 
WordPress vulnerability analysis and mitigation

The WP Job Portal WordPress plugin (versions up to 2.2.6) contains a vulnerability identified as CVE-2024-13371, discovered and disclosed on January 31, 2025. This security flaw affects the plugin's email functionality, specifically in the sendEmailToJobSeeker() function, where a missing capability check creates a security risk (NVD).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 Base Score of 5.3 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to send arbitrary emails with custom content using the site's mail server. This could potentially be exploited for spam campaigns or phishing attacks, as attackers can abuse the legitimate mail server of the affected WordPress installation (NVD).

The vulnerability has been patched in version 2.2.7 of the WP Job Portal plugin. Site administrators are advised to update to this version or later to protect against unauthorized email sending (Wordpress Patch).