Primary

Context

WP Job Portal Insecure Direct Object Reference Vulnerability Allowing Photo Deletion

Vulnerability

Patched

A vulnerability exists in the WP Job Portal WordPress plugin, specifically in versions through 2.2.8. The issue is an Insecure Direct Object Reference (IDOR) that arises in the deleteUserPhoto() function, where user-controlled keys are not properly validated. This flaw enables authenticated attackers with Subscriber-level access or higher to remove profile photos from other users' accounts, although the actual file is not deleted.

Impact

Exploitation of this vulnerability allows for unauthorized removal of user profile photos, potentially leading to misuse of the photo deletion feature or causing confusion among users regarding their profile representation.

Remediation

Users are advised to update the WP Job Portal plugin to version 2.2.9 or a later patched version.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.6

impact

0.6

exploitability

6.1

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.6

impact

0.6

exploitability

6.1

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WP Job Portal Insecure Direct Object Reference Vulnerability Allowing Photo Deletion

Vulnerability

Impact

Remediation

Affected Products

WP Job Portal

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating