Search
Search Results (4 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-7733 | 2 Wordpress, Wp-jobhunt Project | 2 Wordpress, Wp-jobhunt | 2025-12-23 | 4.3 Medium |
| The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'cs_update_application_status_callback' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Candidate-level access and above, to send a site-generated email with injected HTML to any user. | ||||
| CVE-2025-7782 | 2 Wordpress, Wp-jobhunt Project | 2 Wordpress, Wp-jobhunt | 2025-12-23 | 7.6 High |
| The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to unauthorized modification of data due to a missing capability check on the 'cs_update_application_status_callback' function in all versions up to, and including, 7.7. This makes it possible for authenticated attackers, with Candidate-level access and above, to inject cross-site scripting into the 'status' parameter of applied jobs for any user. | ||||
| CVE-2018-19488 | 1 Wp-jobhunt Project | 1 Wp-jobhunt | 2024-11-21 | N/A |
| The WP-jobhunt plugin before version 2.4 for WordPress does not control AJAX requests sent to the cs_reset_pass() function through the admin-ajax.php file, which allows remote unauthenticated attackers to reset the password of a user's account. | ||||
| CVE-2018-19487 | 1 Wp-jobhunt Project | 1 Wp-jobhunt | 2024-11-21 | N/A |
| The WP-jobhunt plugin before version 2.4 for WordPress does not control AJAX requests sent to the cs_employer_ajax_profile() function through the admin-ajax.php file, which allows remote unauthenticated attackers to enumerate information about users. | ||||
Page 1 of 1.