CVE-2023-6843 is a medium-severity vulnerability affecting the WordPress plugin "easy.jobs - Best Recruitment Plugin for Job Board Listing, Manager, Career Page for Elementor & Gutenberg" in versions prior to 2.4.7. The vulnerability is categorized under CWE-284, which refers to improper access control. Specifically, the plugin fails to adequately secure certain AJAX actions, allowing any authenticated user (i.e., any user with a valid login) to modify plugin settings that should normally be restricted to administrators or privileged roles. The CVSS v3.1 base score is 4.3, indicating a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) reveals that the attack can be performed remotely over the network without user interaction but requires the attacker to have some level of privileges (logged-in user). The impact is limited to integrity, as confidentiality and availability are not affected. No known exploits are currently reported in the wild, and no official patches or updates are linked in the provided data, though the fixed version is 2.4.7 or later. This vulnerability could allow an attacker with a low-privileged account to escalate their control within the plugin by changing settings, potentially leading to further compromise or manipulation of recruitment data or site behavior. Since the plugin integrates with popular WordPress page builders Elementor and Gutenberg, it is likely used in diverse WordPress environments, including corporate career pages and job boards.

For European organizations, this vulnerability poses a moderate risk primarily to those using the easy.jobs plugin for their recruitment or career web pages. Unauthorized modification of plugin settings by low-privileged users could lead to manipulation of job listings, exposure or alteration of recruitment workflows, or insertion of malicious content if the settings control output or data processing. This could damage organizational reputation, disrupt HR operations, or facilitate further attacks if combined with other vulnerabilities. While the vulnerability does not directly expose sensitive data or cause denial of service, the integrity compromise can undermine trust in the recruitment platform. Organizations in sectors with high recruitment activity or regulatory scrutiny around employment data (e.g., financial services, healthcare, government) may face compliance risks if unauthorized changes lead to data mishandling. Additionally, attackers could leverage this foothold to pivot to other parts of the WordPress site or network if additional vulnerabilities exist.

1. Immediate upgrade to version 2.4.7 or later of the easy.jobs plugin once available, as this version addresses the improper access control issue. 2. Restrict plugin access by limiting user roles that can log in to the WordPress site, minimizing the number of accounts with any login privileges. 3. Implement strict role-based access control (RBAC) policies within WordPress to ensure only trusted users have permissions to interact with recruitment plugins. 4. Monitor and audit changes to plugin settings regularly to detect unauthorized modifications promptly. 5. Use Web Application Firewalls (WAFs) with custom rules to detect and block suspicious AJAX requests targeting the plugin’s endpoints. 6. Consider isolating the recruitment site or page on a separate subdomain or environment with additional security controls to limit lateral movement. 7. Educate administrators and HR staff about the importance of strong passwords and multi-factor authentication to reduce risk of credential compromise. 8. Review and harden WordPress security posture overall, including timely updates of core, themes, and plugins to reduce attack surface.