CVE-2024-13425 is a vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the WP Job Portal plugin for WordPress, a widely used recruitment system plugin for company or job board websites. The vulnerability arises from the enforcedelete() function, which fails to properly validate a user-controlled key parameter. This lack of validation allows authenticated users with Employer-level privileges or higher to delete company records that belong to other users, bypassing intended authorization controls. The vulnerability affects all versions up to and including 2.2.6. The attack vector is network-based (remote), requiring low attack complexity and only privileges equivalent to an Employer role, which is a common user level in this plugin. No user interaction is required for exploitation. The vulnerability impacts data integrity by enabling unauthorized deletion of company data but does not affect confidentiality or availability. The CVSS v3.1 base score is 4.3, reflecting a medium severity level due to the limited scope and required privileges. No public exploits or active exploitation in the wild have been reported as of the publication date. The vulnerability highlights the importance of proper access control and input validation in multi-tenant web applications, especially those managing sensitive business data such as recruitment platforms.

The primary impact of this vulnerability is the unauthorized deletion of company data within the WP Job Portal plugin. For organizations relying on this plugin to manage recruitment or job board services, this can result in data integrity loss, disruption of business operations, and potential reputational damage. Although the vulnerability does not expose confidential information or cause denial of service, the ability for an authenticated user to delete other users' companies could lead to significant operational disruption, loss of critical business data, and administrative overhead to restore or recover deleted records. In multi-tenant environments, this could also cause conflicts between users and undermine trust in the platform. The requirement for authenticated Employer-level access limits the attack surface but does not eliminate risk, especially in environments with many users or where user privileges are not tightly controlled. Organizations worldwide using this plugin are at risk, particularly those with large user bases or high-value recruitment data.

To mitigate CVE-2024-13425, organizations should immediately upgrade the WP Job Portal plugin to a version where this vulnerability is patched once available. In the absence of an official patch, administrators should implement strict access control policies to limit Employer-level privileges only to trusted users. Additionally, custom code or web application firewalls (WAFs) can be configured to monitor and block suspicious requests targeting the enforcedelete() function or containing unexpected key parameters. Regular auditing of user permissions and activity logs can help detect unauthorized deletion attempts. Backup and recovery procedures should be reviewed and tested to ensure rapid restoration of deleted data. Developers maintaining custom integrations should review the plugin’s authorization logic and add server-side validation to confirm that users can only delete companies they own. Finally, monitoring for unusual deletion patterns and alerting administrators can help mitigate damage from exploitation attempts.