The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of randomization of a password created during Single Sign-On via Google or Facebook. This makes it possible for unauthenticated attackers to change the password of arbitrary Candidate-level users if the attacker knows the username assigned to the victim during account creation.
A product requires authentication, but the product has an alternate path or channel that does not require authentication.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Civi | Yxper | * | 2.1.4 (including) |