CVE-2024-11711 Overview
CVE-2024-11711 is a SQL injection vulnerability in the WP Job Portal WordPress plugin, a recruitment system used for company and job board websites. The flaw affects all versions up to and including 2.2.1 and resides in the handling of the resumeid parameter. Insufficient escaping of user-supplied input and lack of proper SQL query preparation allow unauthenticated attackers to append additional SQL statements to existing queries. Successful exploitation enables extraction of sensitive information from the WordPress database, including user credentials, personally identifiable information, and application secrets. The issue is tracked under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Unauthenticated remote attackers can extract sensitive database contents from affected WordPress sites without any user interaction.
Affected Products
- WP Job Portal WordPress plugin versions up to and including 2.2.1
- Patched in WP Job Portal version 2.2.3
- WordPress sites running the wpjobportal:wp_job_portal component
Discovery Timeline
- 2024-12-14 - CVE-2024-11711 published to NVD
- 2025-02-05 - Last updated in NVD database
Technical Details for CVE-2024-11711
Vulnerability Analysis
The vulnerability is a classic union-based or stacked SQL injection in the resume module of the WP Job Portal plugin. The resumeid parameter accepts user-supplied input that is concatenated directly into a SQL query inside modules/resume/model.php. The plugin does not apply esc_sql(), wpdb::prepare(), or parameter binding before passing the value to the database layer. As a result, attackers can break out of the intended query context and inject arbitrary SQL clauses. Because the endpoint is reachable without authentication, exploitation requires no user credentials and no interaction from a legitimate user.
Root Cause
The root cause is improper neutralization of special characters in the resumeid parameter before it is incorporated into a SQL statement. The vulnerable query in resume/model.php concatenates the parameter as a string rather than binding it as a typed placeholder. Reviewing the WordPress plugin changeset for version 2.2.3 confirms the fix replaces concatenation with prepared statements. See the WordPress Plugin Change Log for the corrected code.
Attack Vector
The attack vector is network-based over HTTP or HTTPS against the public-facing WordPress site. An attacker issues a crafted request to the plugin endpoint that processes the resumeid parameter and appends malicious SQL syntax such as UNION SELECT clauses. The query executes with the privileges of the WordPress database user, exposing tables including wp_users and wp_usermeta. Refer to the Wordfence Vulnerability Report and the GitHub Gist Code Snippet for the vulnerable code location.
Detection Methods for CVE-2024-11711
Indicators of Compromise
- HTTP requests containing SQL keywords such as UNION, SELECT, SLEEP, or INFORMATION_SCHEMA in the resumeid query parameter.
- Unusually long or URL-encoded payloads targeting WP Job Portal resume endpoints.
- Web server access logs showing repeated requests to plugin URLs with varying resumeid values from a single source IP.
- Database query logs showing unexpected reads against wp_users, wp_usermeta, or wp_options.
Detection Strategies
- Inspect WordPress access logs for requests to wp-job-portal resume endpoints containing SQL metacharacters in resumeid.
- Deploy a web application firewall ruleset that flags SQL injection patterns on plugin parameters.
- Correlate spikes in 200-status responses with database error events to identify successful injection attempts.
Monitoring Recommendations
- Enable WordPress debug logging and MySQL general query logging on staging or canary instances to capture anomalous queries.
- Alert on outbound traffic patterns that suggest database content exfiltration following plugin endpoint access.
- Track plugin version inventory across WordPress fleets to identify hosts still running versions at or below 2.2.1.
How to Mitigate CVE-2024-11711
Immediate Actions Required
- Upgrade the WP Job Portal plugin to version 2.2.3 or later on every affected WordPress instance.
- Audit the WordPress database for unauthorized administrator accounts, modified user emails, and tampered options entries.
- Rotate all WordPress administrator passwords, API keys, and secrets stored in wp_options if exploitation is suspected.
- Review web server and database logs for historical exploitation against the resumeid parameter.
Patch Information
The vendor addressed the vulnerability in WP Job Portal version 2.2.3. The fix introduces parameter binding for the resumeid value in modules/resume/model.php. Administrators should apply the update through the WordPress plugin manager or by downloading the latest release from the plugin repository. The full code diff is available in the WordPress Plugin Change Log.
Workarounds
- If immediate patching is not possible, deactivate the WP Job Portal plugin until the upgrade can be applied.
- Restrict access to plugin resume endpoints using web server access controls or a web application firewall rule.
- Apply a virtual patch at the WAF layer that rejects requests where resumeid contains non-numeric characters.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
