Description
The JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin plugin for WordPress is vulnerable to SQL Injection via the 'jobwp_upload_resume' parameter in all versions up to, and including, 2.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-04-19
Score: 7.5 High
EPSS: 22.8% Moderate
KEV: No
Impact: Unauthenticated SQL injection exposing database contents
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an attacker who can send HTTP requests with a crafted "jobwp_upload_resume" parameter to inject arbitrary SQL into the plugin's query. This leads to unauthorized extraction of any data stored in the WordPress database, such as user credentials, personal information, or plugin configuration. The flaw is a classic CWE‑89 instance of SQL injection due to insufficient escaping and the use of unsanitized input in a query built with concatenation.

Affected Systems

The flaw affects the JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin developed by mhmrajib. All releases up to and including version 2.3.9 are vulnerable. WordPress sites that have installed the plugin with those or older versions are at risk. The plugin is widely used for career pages, so many WordPress installations may be impacted.

Risk and Exploitability

The CVSS v3.1 base score of 7.5 indicates a high risk level. The EPSS score of 23% shows a significant likelihood of exploitation in the current month. Although it is not listed in the CISA KEV catalog, the easy identification of the vulnerable parameter and the lack of authentication requirements make the attack trivial for a determined adversary. An attacker can exploit the flaw via unauthenticated HTTP POST or GET requests to the job application endpoint, using crafted payloads to retrieve or modify database contents.

Generated by OpenCVE AI on April 20, 2026 at 23:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the JobWP plugin to version 2.4.0 or later, which removes the vulnerable code path.
  • If an update is not immediately possible, remove or disable the plugin until a patched version is available to eliminate the exposure.
  • Implement a web application firewall rule that blocks typical SQL injection patterns on the "jobwp_upload_resume" parameter or the plugin endpoint.
  • Review the database user privileges to ensure the application uses the least privilege principle, limiting the potential damage of any injected query.

Generated by OpenCVE AI on April 20, 2026 at 23:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.3889}

 epss

{'score': 0.27616}

Mon, 21 Apr 2025 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 19 Apr 2025 02:45:00 +0000

Type Values Removed Values Added
Description The JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin plugin for WordPress is vulnerable to SQL Injection via the 'jobwp_upload_resume' parameter in all versions up to, and including, 2.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin <= 2.3.9 - Unauthenticated SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:16:45.074Z

Reserved: 2025-03-05T21:47:30.843Z

Link: CVE-2025-2010

cve-icon Vulnrichment

Updated: 2025-04-21T02:46:01.603Z

cve-icon NVD

Status : Deferred

Published: 2025-04-19T03:15:13.563

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2010

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:15:06Z

Weaknesses