Skip to main content

CVE-2024-7762: CWE-200 Information Exposure in Unknown Simple Job Board

High
VulnerabilityCVE-2024-7762cvecve-2024-7762cwe-200
Published: Thu May 15 2025 (05/15/2025, 20:07:11 UTC)
Source: CVE
Vendor/Project: Unknown
Product: Simple Job Board

Description

The Simple Job Board WordPress plugin before 2.12.6 does not prevent uploaded files from being listed, allowing unauthenticated users to access and download uploaded resumes

AI-Powered Analysis

AILast updated: 07/06/2025, 07:40:35 UTC

Technical Analysis

CVE-2024-7762 is a high-severity information exposure vulnerability affecting the Simple Job Board WordPress plugin versions prior to 2.12.6. The vulnerability arises because the plugin does not properly restrict access to uploaded files, specifically resumes submitted by job applicants. As a result, unauthenticated users can list, access, and download these uploaded files without any authorization or authentication. This issue is categorized under CWE-200 (Information Exposure), indicating that sensitive information is inadvertently disclosed to unauthorized parties. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting its high impact due to the ease of exploitation (network accessible, no privileges or user interaction required) and the high confidentiality impact (exposure of potentially sensitive personal data). The integrity and availability of the system are not affected. Since the plugin is commonly used in WordPress sites to manage job postings and applicant data, this vulnerability can lead to significant privacy violations and potential regulatory compliance issues, especially concerning personal data protection laws. No known exploits are currently reported in the wild, and no official patches or updates are linked in the provided data, but the fixed version is 2.12.6 or later. Organizations using affected versions should prioritize updating to mitigate this risk.

Potential Impact

For European organizations, this vulnerability poses a significant risk to the confidentiality of personal data, particularly sensitive applicant information such as resumes that may contain names, contact details, employment history, and other personally identifiable information (PII). Exposure of such data can lead to privacy breaches, identity theft, and reputational damage. Additionally, under the EU's General Data Protection Regulation (GDPR), unauthorized disclosure of personal data can result in substantial fines and legal consequences. Organizations relying on the Simple Job Board plugin for recruitment processes may face compliance challenges and loss of trust from applicants and partners. The vulnerability's ease of exploitation means attackers can access sensitive data remotely without authentication, increasing the likelihood of data leakage. Although the vulnerability does not affect system integrity or availability, the confidentiality breach alone can have severe operational and legal repercussions.

Mitigation Recommendations

European organizations should immediately verify the version of the Simple Job Board plugin in use and upgrade to version 2.12.6 or later, where this vulnerability is addressed. If immediate upgrading is not feasible, organizations should implement access controls at the web server or application level to restrict direct access to uploaded files, such as configuring .htaccess rules or equivalent to deny unauthenticated HTTP requests to the upload directories. Additionally, organizations should audit their existing uploaded files for potential exposure and notify affected individuals if a breach is suspected. Monitoring web server logs for unusual access patterns to upload directories can help detect exploitation attempts. It is also recommended to review and enhance overall WordPress security posture, including limiting plugin usage to trusted sources, regularly updating all plugins and themes, and employing web application firewalls (WAFs) to block unauthorized access attempts. Finally, organizations should ensure their data protection policies and incident response plans are updated to handle potential data exposure incidents related to this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
WPScan
Date Reserved
2024-08-13T18:11:46.458Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682cd0f91484d88663aeb8e3

Added to database: 5/20/2025, 6:59:05 PM

Last enriched: 7/6/2025, 7:40:35 AM

Last updated: 8/1/2025, 12:17:04 AM

Views: 16

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats