Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JoomSky JS Job Manager js-jobs allows PHP Local File Inclusion.This issue affects JS Job Manager: from n/a through <= 2.0.2.
Published: 2025-04-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an improper control of the filename used in a PHP include/require statement, which permits a local file inclusion vulnerability in the JoomSky JS Job Manager plugin. This weakness, identified as CWE‑98, can allow an attacker to read arbitrary local files on the server, and in certain configurations could lead to execution of code or other compromises of confidentiality, integrity, or availability.

Affected Systems

WordPress sites that have installed the JoomSky JS Job Manager plugin in any version from the first release through 2.0.2 are affected. The plugin is identified as "JS Job Manager" for WordPress, and the vulnerability applies to all PHP environments where the plugin is enabled.

Risk and Exploitability

The CVSS score of 8.8 signals a high severity risk, and the EPSS score below 1% indicates that exploitation is currently considered unlikely but not impossible. The vulnerability is listed as not part of the CISA KEV catalog, meaning no known public exploit has been documented. Based on the description, it is inferred that the likely attack vector is through a remotely accessible input that influences the filename parameter used in the include/require statement, enabling local file inclusion. This scenario could potentially be extended to remote code execution in certain server configurations.

Generated by OpenCVE AI on May 1, 2026 at 11:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the JoomSky JS Job Manager plugin to the latest release (any version newer than 2.0.2).
  • Verify that the plugin’s configuration does not expose a publicly writable path or file selection option that could be manipulated; if it does, restrict or remove that capability.
  • Enforce strict file system permissions on the plugin directory and its included files so that only the web server account can read them, thereby limiting the impact of any inclusion attempt.

Generated by OpenCVE AI on May 1, 2026 at 11:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9866 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JoomSky JS Job Manager allows PHP Local File Inclusion. This issue affects JS Job Manager: from n/a through 2.0.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JoomSky JS Job Manager allows PHP Local File Inclusion. This issue affects JS Job Manager: from n/a through 2.0.2. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JoomSky JS Job Manager js-jobs allows PHP Local File Inclusion.This issue affects JS Job Manager: from n/a through <= 2.0.2.
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:joomsky:js_job_manager:*:*:*:*:*:wordpress:*:*

Fri, 04 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JoomSky JS Job Manager allows PHP Local File Inclusion. This issue affects JS Job Manager: from n/a through 2.0.2.
Title WordPress JS Job Manager plugin <= 2.0.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Joomsky Js Job Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:17.038Z

Reserved: 2025-04-04T10:00:50.063Z

Link: CVE-2025-32146

cve-icon Vulnrichment

Updated: 2025-04-04T19:53:46.645Z

cve-icon NVD

Status : Modified

Published: 2025-04-04T16:15:22.573

Modified: 2026-04-23T15:28:38.590

Link: CVE-2025-32146

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:15:15Z

Weaknesses