CVE-2024-11917 is an authentication bypass vulnerability in the JobSearch WP Job Board WordPress plugin affecting all versions up to 2.9.2. The issue stems from improper handling in the 'jobsearch_xing_response_data_callback', 'set_access_tokes', and 'google_callback' functions, enabling unauthenticated attackers to impersonate connected Xing users if their Xing ID is known, or the first connected Xing user. Additionally, attackers can impersonate the first connected Google user if that user has logged in within the last thirty days without logging out. Although a partial fix was applied in version 2.8.4, the vulnerability remains exploitable in subsequent versions up to 2.9.2. The CVSS 3.1 base score is 8.1, reflecting a high impact on confidentiality, integrity, and availability with network attack vector and no privileges or user interaction required.

Successful exploitation allows unauthenticated attackers to bypass authentication and log in as legitimate connected users of the plugin via Xing or Google login mechanisms. This can lead to full compromise of user accounts, potentially exposing sensitive data and allowing unauthorized actions within the WordPress site. The vulnerability affects confidentiality, integrity, and availability of the affected system. No known exploits in the wild have been reported as of the publication date.

No official patch or fix is currently confirmed as available for versions up to 2.9.2. A partial patch was introduced in version 2.8.4, but it does not fully remediate the issue. Users should check the vendor's advisory for updates and apply any official fixes once released. Until a full fix is available, consider disabling the affected login integrations or restricting access to the plugin features to trusted users only. Monitor vendor channels for remediation announcements.