CVE-2024-11283 Overview
CVE-2024-11283 is an authentication bypass vulnerability in the WP JobHunt plugin (also distributed as the Chimpgroup JobCareer theme) for WordPress. The flaw affects all versions up to and including 7.1. The vulnerable wp_ajax_google_api_login_callback function fails to verify a user's identity before authenticating them. Unauthenticated attackers can exploit this weakness to access arbitrary candidate accounts on affected WordPress sites. The issue is classified under [CWE-289] Authentication Bypass by Alternate Name or Spoofed Identity.
Critical Impact
Unauthenticated remote attackers can log in as any candidate account, exposing personal data and enabling further compromise of the WordPress site.
Affected Products
- Chimpgroup JobCareer (WordPress theme) versions through 7.1
- WP JobHunt plugin versions through 7.1
- WordPress sites bundling the affected wp_ajax_google_api_login_callback AJAX handler
Discovery Timeline
- 2025-03-14 - CVE-2024-11283 published to the National Vulnerability Database (NVD)
- 2025-07-08 - Last updated in NVD database
Technical Details for CVE-2024-11283
Vulnerability Analysis
The vulnerability resides in the wp_ajax_google_api_login_callback AJAX endpoint registered by the WP JobHunt plugin. This endpoint handles the post-authentication step of the Google API social login flow. The handler accepts user-supplied identifiers and authenticates the corresponding WordPress account without validating any cryptographic proof from Google.
Because the function is registered under the standard wp_ajax_nopriv_ hook pattern, it is reachable by unauthenticated visitors. An attacker sends a crafted POST request to /wp-admin/admin-ajax.php with the matching action parameter. The plugin then issues an authenticated session for the candidate account whose identifier was supplied.
The vulnerability is reachable over the network without privileges or user interaction. Successful exploitation yields full access to candidate accounts, including resumes, contact information, and any uploaded documents.
Root Cause
The root cause is missing identity verification in the Google API login callback. A secure implementation must validate the Google-issued ID token signature, audience, and issuer before associating it with a local WordPress user. The vulnerable code skips these checks and trusts attacker-controlled request parameters to select the target account.
Attack Vector
The attack vector is network-based and unauthenticated. An attacker enumerates candidate user identifiers, then submits a forged AJAX request that triggers wp_ajax_google_api_login_callback. The plugin responds by setting authentication cookies for the targeted account, granting the attacker the same access as the legitimate candidate.
For technical details and proof-of-concept indicators, refer to the Wordfence Vulnerability Report.
Detection Methods for CVE-2024-11283
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php with the action=google_api_login_callback parameter from unauthenticated sources
- Successful WordPress login events for candidate accounts without a corresponding password reset or browser fingerprint match
- New wordpress_logged_in_* cookies issued shortly after anonymous AJAX traffic to the Google login callback
- Unexpected access to candidate dashboard pages such as /candidate/ or resume download endpoints from new IP addresses
Detection Strategies
- Inspect web server access logs for repeated requests to admin-ajax.php referencing the Google API login callback action
- Correlate WordPress authentication events with the absence of preceding legitimate OAuth redirects to accounts.google.com
- Alert on candidate accounts logging in from geographic locations or user agents that deviate from historical baselines
- Deploy a Web Application Firewall (WAF) rule to flag or block AJAX requests targeting the vulnerable action when the originating session lacks a valid Google OAuth state token
Monitoring Recommendations
- Enable verbose authentication logging in WordPress with a plugin such as WP Activity Log to capture user-switch and login events
- Forward WordPress and web server logs to a centralized analytics platform for correlation and retention
- Track outbound HTTP requests from the WordPress host to oauth2.googleapis.com to validate that real OAuth exchanges accompany Google login events
- Monitor file system changes under wp-content/uploads/ for unauthorized downloads or uploads tied to compromised candidate sessions
How to Mitigate CVE-2024-11283
Immediate Actions Required
- Identify any WordPress installations running the WP JobHunt plugin or Chimpgroup JobCareer theme version 7.1 or earlier
- Disable the plugin or theme until a vendor-supplied patched release is installed
- Force a password reset and session invalidation for all candidate accounts to evict any active attacker sessions
- Review WordPress user and login logs for the last 90 days to identify suspicious authentications
Patch Information
At the time of NVD publication, no fixed version had been listed in the vulnerability record. Administrators should consult the vendor distribution page at ThemeForest Job Career Theme and the Wordfence Vulnerability Report for the latest patch availability and upgrade instructions.
Workarounds
- Block requests to admin-ajax.php where the action parameter equals google_api_login_callback at the WAF or reverse proxy layer
- Disable the Google social login feature within the WP JobHunt plugin settings until patched
- Restrict access to /wp-admin/admin-ajax.php from untrusted networks using IP allow-listing where feasible
- Enforce multi-factor authentication for all candidate and administrative accounts to limit the value of bypassed credentials
# Example nginx rule to block exploitation attempts against the vulnerable action
location = /wp-admin/admin-ajax.php {
if ($arg_action = "google_api_login_callback") {
return 403;
}
if ($request_body ~* "action=google_api_login_callback") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
