CVE-2024-13429 is a security vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the WP Job Portal plugin for WordPress, a comprehensive recruitment system used by companies and job boards. The issue exists in all versions up to and including 2.2.6 and is caused by an insecure direct object reference (IDOR) vulnerability in the 'jobenforcedelete' functionality. Specifically, the plugin fails to properly validate a user-controlled key parameter, allowing authenticated users with employer-level privileges or higher to bypass authorization checks. This enables them to delete arbitrary job postings that they should not have permission to remove. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N) with low attack complexity (AC:L). The attacker must have some level of privileges (PR:L), but no additional user interaction is needed (UI:N). The impact is limited to integrity (I:L) as it allows unauthorized deletion of data but does not affect confidentiality or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability highlights the importance of robust access control validation and secure handling of user-supplied keys in web applications, especially in multi-tenant environments like job portals where different users have varying levels of access.

The primary impact of CVE-2024-13429 is the unauthorized deletion of job postings within affected WP Job Portal installations. This compromises data integrity by allowing employer-level users to remove job listings they do not own or manage, potentially disrupting recruitment operations and causing loss of critical business data. For organizations relying on this plugin, such unauthorized deletions could lead to operational disruptions, loss of candidate applications, and damage to reputation if job listings disappear unexpectedly. While the vulnerability does not directly expose sensitive data or cause denial of service, the ability to manipulate job postings undermines trust in the platform's reliability and security. Attackers with employer-level access could also use this flaw to sabotage competitors’ job listings or manipulate the job board content maliciously. Given the plugin’s use in recruitment and job board websites globally, the impact extends to HR departments, recruiters, and job seekers who depend on accurate and stable job postings.

To mitigate CVE-2024-13429, organizations should immediately restrict employer-level user permissions to the minimum necessary and audit current user roles for excessive privileges. Implement strict server-side validation of all user-controlled keys or identifiers used in deletion functions to ensure users can only delete resources they are authorized to manage. Employ role-based access control (RBAC) mechanisms that enforce ownership checks before allowing deletion operations. Monitor and log all deletion requests for suspicious activity to detect potential abuse. Until an official patch is released, consider disabling the 'jobenforcedelete' functionality or applying custom code fixes that validate authorization checks robustly. Regularly update the WP Job Portal plugin once a security update addressing this vulnerability becomes available. Additionally, conduct security reviews of other plugin functions to identify similar authorization weaknesses. Educate users with elevated privileges about the risks of misuse and enforce strong authentication controls to prevent account compromise.