CVE-2024-8615: Eyecix Jobsearch WP Job Board RCE Flaw

CVE-2024-8615 Overview

The JobSearch WP Job Board plugin for WordPress contains a critical arbitrary file upload vulnerability in the jobsearch_location_load_excel_file_callback() function. This security flaw affects all versions up to and including 2.6.7, and results from missing file type validation. The vulnerability allows unauthenticated attackers to upload arbitrary files to the affected site's server, potentially enabling remote code execution.

Critical Impact

Unauthenticated attackers can upload malicious files including PHP web shells, enabling complete server compromise without requiring any authentication credentials.

Affected Products

• Eyecix JobSearch WP Job Board plugin versions up to and including 2.6.7
• WordPress sites utilizing the JobSearch WP Job Board plugin
• Sites running the plugin from Codecanyon (item #21066856)

Discovery Timeline

• 2024-11-06 - CVE-2024-8615 published to NVD
• 2024-11-08 - Last updated in NVD database

Technical Details for CVE-2024-8615

Vulnerability Analysis

This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The jobsearch_location_load_excel_file_callback() function in the JobSearch WP Job Board plugin fails to properly validate file types during the upload process. This architectural flaw allows attackers to bypass expected restrictions and upload executable files such as PHP scripts directly to the web server.

The attack requires no authentication and can be executed remotely over the network. The impact is severe—successful exploitation grants attackers the ability to achieve arbitrary code execution on the underlying server, potentially leading to complete site takeover, data exfiltration, and lateral movement within the hosting infrastructure.

Root Cause

The root cause stems from inadequate input validation in the file upload handler. The jobsearch_location_load_excel_file_callback() function was designed to handle Excel file uploads for location data but lacks proper file type verification. Without checking MIME types, file extensions, or file content signatures, the function blindly accepts any uploaded file, including malicious PHP scripts or other executable code.

Attack Vector

The attack is network-based and requires no user interaction or authentication. An attacker can craft a malicious HTTP request targeting the vulnerable AJAX endpoint associated with the jobsearch_location_load_excel_file_callback() function. By submitting a PHP web shell disguised as an Excel file (or simply uploaded directly), the attacker can place executable code on the server. Once uploaded, the attacker accesses the uploaded file via its public URL, triggering code execution with the privileges of the web server process.

The vulnerability is particularly dangerous because WordPress plugins often have predictable upload directories, making it straightforward for attackers to locate and execute their uploaded payloads. The lack of authentication means any internet-connected attacker can target vulnerable installations without needing to compromise user credentials first.

Detection Methods for CVE-2024-8615

Indicators of Compromise

• Unexpected PHP files appearing in WordPress upload directories, particularly within plugin-specific folders
• Web server access logs showing POST requests to AJAX handlers related to jobsearch_location_load_excel_file endpoints
• Suspicious files with executable extensions (.php, .phtml, .phar) in directories intended for Excel uploads
• Unusual outbound network connections from the web server indicating command-and-control communication

Detection Strategies

• Monitor WordPress upload directories for newly created PHP files using file integrity monitoring solutions
• Implement web application firewall (WAF) rules to detect and block file upload attempts containing PHP code patterns
• Review web server access logs for anomalous POST requests to JobSearch plugin AJAX endpoints
• Deploy endpoint detection solutions capable of identifying web shell behaviors and malicious file uploads

Monitoring Recommendations

• Configure real-time alerts for file creation events in WordPress wp-content/uploads/ and plugin directories
• Enable verbose logging on web servers to capture detailed request information for forensic analysis
• Implement behavioral monitoring to detect web shells executing system commands or spawning processes
• Regularly audit installed plugins for known vulnerabilities using WordPress security scanning tools

How to Mitigate CVE-2024-8615

Immediate Actions Required

• Update the JobSearch WP Job Board plugin to a patched version immediately if available
• Temporarily disable the JobSearch WP Job Board plugin until a security patch is applied
• Audit the WordPress uploads directory for any suspicious files that may have been uploaded
• Implement WAF rules to block file upload requests to the vulnerable endpoint
• Review server access logs for evidence of exploitation attempts

Patch Information

The vulnerability affects all versions of the JobSearch WP Job Board plugin up to and including version 2.6.7. Organizations should check the Codecanyon Job Board Plugin page and the Wordfence Vulnerability Report for the latest patched version and update instructions.

Workarounds

• Implement server-level restrictions to prevent PHP execution in upload directories using .htaccess or web server configuration
• Deploy a web application firewall (WAF) with rules to block suspicious file upload patterns
• Restrict access to WordPress admin and AJAX endpoints using IP allowlisting where feasible
• Consider temporarily removing the plugin if it is not critical to site operations until a patch is available

# Configuration example: Prevent PHP execution in uploads directory (Apache)
# Add to .htaccess in wp-content/uploads/

<FilesMatch "\.(?:php|phtml|phar|php3|php4|php5|php7|phps)$">
    Require all denied
</FilesMatch>

# For Nginx, add to server block:
# location ~* /wp-content/uploads/.*\.php$ {
#     deny all;
# }