CVE-2024-13772

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-13772
The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.6.1. This is due to a lack of password randomization and user validation through the fb_ajax_login_or_register and google_ajax_login_or_register actions. This makes it possible for unauthenticated attackers to login as any user as long as they have access to the email.

5.9 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://themeforest.net/item/civi-job-board-wordpress-theme/42770817#item-description__changelogs
https://www.wordfence.com/threat-intel/vulnerabilities/id/bf04f458-7900-4dd3-84fb-169b74db97ab?source=cve Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:uxper:civi:*:*:*:*:*:wordpress:*:*
History

17 Jun 2025, 18:15

Type Values Removed Values Added
References
  • {'url': 'http://localhost:1337/wp-content/themes/civi/includes/class-ajax.php#L739', 'name': 'http://localhost:1337/wp-content/themes/civi/includes/class-ajax.php#L739', 'tags': ['Broken Link'], 'refsource': ''}
  • {'url': 'http://localhost:1337/wp-content/themes/civi/includes/class-ajax.php#L567', 'name': 'http://localhost:1337/wp-content/themes/civi/includes/class-ajax.php#L567', 'tags': ['Broken Link'], 'refsource': ''}
  • () https://themeforest.net/item/civi-job-board-wordpress-theme/42770817#item-description__changelogs -
Summary The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of randomization of a password created during Single Sign-On via Google or Facebook. This makes it possible for unauthenticated attackers to change the password of arbitrary Candidate-level users if the attacker knows the username assigned to the victim during account creation. The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.6.1. This is due to a lack of password randomization and user validation through the fb_ajax_login_or_register and google_ajax_login_or_register actions. This makes it possible for unauthenticated attackers to login as any user as long as they have access to the email.
CWE CWE-288

28 Mar 2025, 16:19

Type Values Removed Values Added
CPE cpe:2.3:a:yxper:civi:*:*:*:*:*:wordpress:*:* cpe:2.3:a:uxper:civi:*:*:*:*:*:wordpress:*:*
First Time Uxper civi
Uxper

27 Mar 2025, 01:22

Type Values Removed Values Added
CPE cpe:2.3:a:yxper:civi:*:*:*:*:*:wordpress:*:*
CWE CWE-306
CVSS v2 : unknown
v3 : 5.6 		v2 : unknown
v3 : 5.9
First Time Yxper civi
Yxper
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/bf04f458-7900-4dd3-84fb-169b74db97ab?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/bf04f458-7900-4dd3-84fb-169b74db97ab?source=cve - Third Party Advisory
References () http://localhost:1337/wp-content/themes/civi/includes/class-ajax.php#L739 - () http://localhost:1337/wp-content/themes/civi/includes/class-ajax.php#L739 - Broken Link
References () http://localhost:1337/wp-content/themes/civi/includes/class-ajax.php#L567 - () http://localhost:1337/wp-content/themes/civi/includes/class-ajax.php#L567 - Broken Link

14 Mar 2025, 12:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-14 12:15

Updated : 2025-06-17 18:15

NVD link : CVE-2024-13772

Mitre link : CVE-2024-13772

JSON object : View

Products Affected

uxper

  • civi
CWE
CWE-306

Missing Authentication for Critical Function