CVE-2024-7950: 
WordPress vulnerability analysis and mitigation

The WP Job Portal WordPress plugin (versions up to 2.1.6) contains multiple critical vulnerabilities including Local File Inclusion, Arbitrary Settings Update, and unauthorized User Creation. The vulnerability was discovered and reported by Wordfence, with disclosure on September 3, 2024 (Wordfence Advisory).

The vulnerability stems from several functions called by the 'checkFormRequest' function that lack proper security controls. The issue has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-862 (Missing Authorization) and CWE-22 (Path Traversal) (NVD).

The vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to the execution of any PHP code in those files. Additionally, attackers can update arbitrary settings and create user accounts with administrator privileges, even when registration is disabled (NVD).

Website administrators running affected versions of the WP Job Portal plugin should immediately update to version 2.1.7 or later which contains security fixes for these vulnerabilities. A patch has been released and is available through the WordPress plugin repository (WordPress Patch).