Description
Cross-Site Request Forgery (CSRF) vulnerability in NotFound WPJobBoard allows Upload a Web Shell to a Web Server. This issue affects WPJobBoard: from n/a through n/a.
Published: 2025-04-15
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WPJobBoard plugin contains a flaw that allows attackers to upload a malicious file that is then executed on the server. The lack of CSRF protection lets an attacker send a crafted request from a victim’s browser, giving the attacker full remote code execution. The weakness is a Cross‑Site Request Forgery issue, CWE‑352.

Affected Systems

Any WordPress site that has the WPJobBoard plugin installed. Versions prior to 5.11.1 are affected, as the vulnerability exists in all earlier releases of the plugin. Users of older plugin versions are therefore at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.6, placing it in the critical category. The EPSS score is below 1%, indicating that recent exploitation incidents are scarce but not impossible. The flaw is not currently listed in the CISA KEV catalog. The most probable attack vector involves a CSRF request sent from a logged‑in administrator’s session, allowing the attacker to upload a web shell without the user’s knowledge.

Generated by OpenCVE AI on April 30, 2026 at 22:54 UTC.

Remediation

Vendor Solution

Update the WordPress WPJobBoard plugin to the latest available version (at least 5.11.1).

OpenCVE Recommended Actions

  • Update the WPJobBoard plugin to version 5.11.1 or newer to remove the CSRF and file‑upload flaw.
  • After updating, verify the upload endpoint is no longer accessible without proper authentication and that only privileged users can upload files.
  • If the plugin cannot be updated immediately, disable or remove it from the site to eliminate the attack surface, or restrict the upload functionality to super‑admin users only.

Generated by OpenCVE AI on April 30, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11105 Cross-Site Request Forgery (CSRF) vulnerability in NotFound WPJobBoard allows Upload a Web Shell to a Web Server. This issue affects WPJobBoard: from n/a through n/a.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in NotFound WPJobBoard wpjobboard allows Upload a Web Shell to a Web Server.This issue affects WPJobBoard: from n/a through < 5.11.1. Cross-Site Request Forgery (CSRF) vulnerability in NotFound WPJobBoard allows Upload a Web Shell to a Web Server. This issue affects WPJobBoard: from n/a through n/a.
References

Thu, 23 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in NotFound WPJobBoard allows Upload a Web Shell to a Web Server. This issue affects WPJobBoard: from n/a through n/a. Cross-Site Request Forgery (CSRF) vulnerability in NotFound WPJobBoard wpjobboard allows Upload a Web Shell to a Web Server.This issue affects WPJobBoard: from n/a through < 5.11.1.
References

Tue, 15 Apr 2025 22:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in NotFound WPJobBoard allows Upload a Web Shell to a Web Server. This issue affects WPJobBoard: from n/a through n/a.
Title WordPress WPJobBoard plugin < 5.11.1 - CSRF to Remote Code Execution (RCE) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:02.282Z

Reserved: 2025-03-26T09:22:27.935Z

Link: CVE-2025-30967

cve-icon Vulnrichment

Updated: 2025-04-16T14:12:40.887Z

cve-icon NVD

Status : Deferred

Published: 2025-04-15T22:15:26.683

Modified: 2026-04-28T19:30:50.937

Link: CVE-2025-30967

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T23:00:04Z

Weaknesses