Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JoomSky JS Job Manager js-jobs allows PHP Local File Inclusion.This issue affects JS Job Manager: from n/a through <= 2.0.2.
Published: 2025-04-11
Score: 8.1 High
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is caused by insufficient validation of filenames used in PHP include or require statements within the JoomSky JS Job Manager plugin. An attacker can supply a crafted parameter that leads the application to include arbitrary local files from the server’s filesystem. When a writable PHP script is included, remote code execution becomes possible; alternatively, reading protected files can expose configuration data or user information. The flaw is formally classified as CWE‑98 and carries a CVSS score of 8.1.

Affected Systems

Any WordPress installation that uses the JoomSky JS Job Manager plugin version 2.0.2 or older is potentially vulnerable. The issue exists across all releases from the initial public version through 2.0.2. Updating to 2.0.3 or newer removes the insecure handling of include paths.

Risk and Exploitability

The CVSS score indicates a high potential impact if the vulnerability is exploited, but the EPSS score of 2% suggests that real‑world exploitation risk is currently low. The vulnerability is not listed in the CISA KEV catalog, implying no widespread attacks have been reported. Attackers would likely target the plugin via an HTTP request that exploits the unvalidated inclusion parameter; the exact authentication requirements are not disclosed in the description, so the risk profile remains uncertain until further details emerge.

Generated by OpenCVE AI on May 20, 2026 at 14:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the JS Job Manager plugin to version 2.0.3 or later to eliminate the insecure filename handling.
  • If the plugin is not required, disable or uninstall it to remove the vulnerability surface.
  • Restrict PHP’s include paths on the server by setting an open_basedir directive or similar configuration to limit file access to trusted directories.
  • Enable WordPress’s DISALLOW_FILE_EDIT constant in wp-config.php to prevent unauthorized file modifications through the admin interface.
  • Consider deploying a web application firewall or security plugin to detect and block suspicious request patterns that may indicate an LFI attempt.

Generated by OpenCVE AI on May 20, 2026 at 14:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10746 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JoomSky JS Job Manager allows PHP Local File Inclusion. This issue affects JS Job Manager: from n/a through 2.0.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JoomSky JS Job Manager allows PHP Local File Inclusion. This issue affects JS Job Manager: from n/a through 2.0.2. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JoomSky JS Job Manager js-jobs allows PHP Local File Inclusion.This issue affects JS Job Manager: from n/a through <= 2.0.2.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Joomsky
Joomsky js Job Manager
CPEs cpe:2.3:a:joomsky:js_job_manager:*:*:*:*:*:wordpress:*:*
Vendors & Products Joomsky
Joomsky js Job Manager

Fri, 11 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 11 Apr 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JoomSky JS Job Manager allows PHP Local File Inclusion. This issue affects JS Job Manager: from n/a through 2.0.2.
Title WordPress JS Job Manager plugin <= 2.0.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Joomsky Js Job Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:25.761Z

Reserved: 2025-04-09T11:20:51.367Z

Link: CVE-2025-32627

cve-icon Vulnrichment

Updated: 2025-04-11T13:37:42.815Z

cve-icon NVD

Status : Modified

Published: 2025-04-11T09:15:33.013

Modified: 2026-04-23T15:29:14.320

Link: CVE-2025-32627

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T15:00:13Z

Weaknesses