Description
Unrestricted Upload of File with Dangerous Type vulnerability in JoomSky JS Job Manager js-jobs allows Upload a Web Shell to a Web Server.This issue affects JS Job Manager: from n/a through <= 2.0.2.
Published: 2025-04-17
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can upload arbitrary files via the JoomSky JS Job Manager plugin and place a web shell on the server, allowing remote code execution. The vulnerability originates from the lack of validation of the uploaded file type, which matches CWE‑434. Compromise of confidentiality, integrity, and availability can follow if the attacker succeeds in executing malicious code.

Affected Systems

The JoomSky JS Job Manager WordPress plugin is affected for all versions up to and including 2.0.2, as the vendor indicates the issue applies from the earliest release onward to 2.0.2. No later versions are listed as vulnerable.

Risk and Exploitability

The CVSS score of 10 denotes a critical risk, yet the EPSS score below 1% indicates a very low current exploitation probability, and the issue is not listed in the CISA KEV catalog. Attackers would likely exploit the plugin’s file‑upload interface, as the description mentions unrestricted upload of dangerous payloads. Specific authentication requirements are not provided, but it is inferred that the vulnerability is exploitable via the web interface, potentially requiring only a user with permission to post jobs with the plugin.

Generated by OpenCVE AI on April 30, 2026 at 22:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the JoomSky JS Job Manager plugin to version 2.0.3 or later.
  • If an upgrade is not immediately available, remove or deactivate the plugin until a patched version is released.
  • Restrict accepted file types to a whitelist of safe MIME types and disallow executable extensions.
  • Place uploaded files in a directory without execute permissions and ensure web‑server file‑system permissions prevent script execution.
  • Continuously monitor web‑server logs for unauthorized file uploads and abnormal request patterns.

Generated by OpenCVE AI on April 30, 2026 at 22:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11728 Unrestricted Upload of File with Dangerous Type vulnerability in JoomSky JS Job Manager allows Upload a Web Shell to a Web Server. This issue affects JS Job Manager: from n/a through 2.0.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in JoomSky JS Job Manager allows Upload a Web Shell to a Web Server. This issue affects JS Job Manager: from n/a through 2.0.2. Unrestricted Upload of File with Dangerous Type vulnerability in JoomSky JS Job Manager js-jobs allows Upload a Web Shell to a Web Server.This issue affects JS Job Manager: from n/a through <= 2.0.2.
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:joomsky:js_job_manager:*:*:*:*:*:wordpress:*:*

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in JoomSky JS Job Manager allows Upload a Web Shell to a Web Server. This issue affects JS Job Manager: from n/a through 2.0.2.
Title WordPress JS Job Manager plugin <= 2.0.2 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Joomsky Js Job Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:27.444Z

Reserved: 2025-04-09T11:21:11.059Z

Link: CVE-2025-32660

cve-icon Vulnrichment

Updated: 2025-04-17T17:42:45.984Z

cve-icon NVD

Status : Modified

Published: 2025-04-17T16:15:49.817

Modified: 2026-04-23T15:29:17.983

Link: CVE-2025-32660

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T22:15:16Z

Weaknesses