Description
The InWave Jobs plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 3.5.1. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Published: 2025-03-07
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Unauthenticated Password Reset
Action: Immediate Patch
AI Analysis

Impact

The InWave Jobs plugin for WordPress allows an attacker who is not logged in to reset the passwords of any user account, including administrators. The flaw lies in the lack of proper identity verification before the password update is processed, a form of insecure authentication. As a result, an unauthenticated attacker can assume the role of any user, compromising confidentiality, integrity, and availability of the site’s administrative functions. The weakness is classified under CWE-288 and CWE-306, reflecting authentication failure and insecure password handling.

Affected Systems

InWave Jobs plugin versions up to and including 3.5.1 for WordPress sites are affected. The vulnerable component is identified by the vendor sfwebservice as "InWave Jobs" and is listed in the CPE string cpe:2.3:a:sfwebservice:injob:*:*:*:*:*:wordpress:*:*.

Risk and Exploitability

The CVSS score of 9.8 marks this as a critical vulnerability. However, the EPSS score of less than 1% indicates that historically very few exploits have been observed, and it is not currently listed in the CISA KEV catalog. The likely attack vector is a remote web request to the password reset endpoint, which can be performed without authentication. An attacker could simply send a reset request for any target username and, due to the lack of verification, receive a new password for that account. Once the password is changed, the attacker can log in as the target user and exploit administrative privileges.

Generated by OpenCVE AI on April 20, 2026 at 23:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the InWave Jobs plugin to version 3.5.2 or later, which removes the vulnerability.
  • If an immediate upgrade is not feasible, block or restrict remote access to the password reset endpoint using web application firewall rules or server‑side access controls.
  • Force all site users to change their passwords and audit administrator accounts for unauthorized changes.

Generated by OpenCVE AI on April 20, 2026 at 23:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7388 The InWave Jobs plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 3.5.1. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
History

Thu, 13 Mar 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Sfwebservice
Sfwebservice injob
Weaknesses CWE-306
CPEs cpe:2.3:a:sfwebservice:injob:*:*:*:*:*:wordpress:*:*
Vendors & Products Sfwebservice
Sfwebservice injob

Fri, 07 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 07 Mar 2025 08:30:00 +0000

Type Values Removed Values Added
Description The InWave Jobs plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 3.5.1. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Title InWave Jobs <= 3.5.1 - Unauthenticated Privilege Escalation via Password Reset
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Sfwebservice Injob
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:38.710Z

Reserved: 2025-02-14T21:44:40.875Z

Link: CVE-2025-1315

cve-icon Vulnrichment

Updated: 2025-03-07T15:05:11.715Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-07T09:15:16.313

Modified: 2025-03-13T15:00:51.697

Link: CVE-2025-1315

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:45:21Z

Weaknesses