CVE-2024-13372: 
WordPress vulnerability analysis and mitigation

The WP Job Portal WordPress plugin (versions up to 2.2.6) contains an Insecure Direct Object Reference vulnerability identified as CVE-2024-13372. The vulnerability was discovered and disclosed on January 31, 2025, affecting the plugin's resume management functionality. The security flaw exists in the getresumefiledownloadbyid() and getallresumefiles() functions due to missing validation on a user-controlled key (NVD).

The vulnerability is classified as a Broken Access Control issue (CWE-639) with a CVSS v3.1 base score of 5.3 (Medium). The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U) with low confidentiality impact (C:L) and no impact on integrity (I:N) or availability (A:N) (NVD, Patchstack).

The vulnerability allows unauthenticated attackers to download users' resumes without proper authorization, potentially exposing sensitive personal information stored in resume files (NVD).

The vulnerability has been patched in version 2.2.7 of the WP Job Portal plugin. Users are advised to update to this version or later to resolve the security issue (Patchstack).