CVE-2025-5397 - Vulnerability Details

- Jobmonster - Job Board WordPress Theme <= 4.8.1 - Authentication Bypass

Description

The Noo JobMonster theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.8.1. This is due to the check_login() function not properly verifying a user's identity prior to successfully authenticating them This makes it possible for unauthenticated attackers to bypass standard authentication and access administrative user accounts. Please note social login needs to be enabled in order for a site to be impacted by this vulnerability.

Published: 2025-10-31

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Noo JobMonster theme for WordPress is affected by an authentication bypass flaw that allows unauthenticated attackers to acquire administrative privileges, provided that social login functionality is enabled on the site. The vulnerability originates from the check_login() function failing to properly verify a user's identity before granting access, exposing all administrative user accounts. Although this flaw does not directly lead to code execution or data exfiltration, it enables attackers to fully control the WordPress instance, potentially defacing content, publishing malicious posts, or altering site configuration.

Affected Systems

All versions of the Noo JobMonster WordPress theme up to and including 4.8.1 are affected. The flaw specifically impacts installations where the social login feature is enabled, as this activates the vulnerable check_login() code path.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.8, indicating critical severity, yet the EPSS score is less than 1%, implying a low probability of exploitation at this time. The flaw is not listed in CISA KEV. Attackers can exploit it by accessing any page that triggers the check_login() function while social login is active, without needing any credentials. Compromise leads to full administrative control of the WordPress site.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Unknown

Noo JobMonster

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.8.1

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Noo JobMonster theme to the latest available version (4.8.2 or newer) where the authentication bypass has been fixed.
If a theme update cannot be applied immediately, disable the social login feature either in the theme settings or via a security plugin to eliminate the vulnerable code path.
Verify that no other plugins or custom code modify the check_login() logic, and apply all pending security updates to WordPress core and other plugins.

Generated by OpenCVE AI on April 21, 2026 at 18:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00461.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://themeforest.net/item/jobmonster-job-board-wordpress-theme/10965446
https://www.wordfence.com/threat-intel/vulnerabilities/id/6fa4aa8d-d7f1-4e91-bb2c-c9f80a4bb216?source=cve

History

Mon, 03 Nov 2025 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Fri, 31 Oct 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 31 Oct 2025 07:00:00 +0000

Type	Values Removed	Values Added
Description		The Noo JobMonster theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.8.1. This is due to the check_login() function not properly verifying a user's identity prior to successfully authenticating them This makes it possible for unauthenticated attackers to bypass standard authentication and access administrative user accounts. Please note social login needs to be enabled in order for a site to be impacted by this vulnerability.
Title		Jobmonster - Job Board WordPress Theme <= 4.8.1 - Authentication Bypass
Weaknesses		CWE-288
References		https://themeforest.net/item/jobmonster-job-board-wordpress-theme/10965446 https://www.wordfence.com/threat-intel/vulnerabilities/id/6fa4aa8d-d7f1-4e91-bb2c-c9f80a4bb216?source=cve
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-10-31T06:42:54.832Z

Updated: 2026-04-08T16:59:58.036Z

Reserved: 2025-05-30T16:34:42.983Z

Link: CVE-2025-5397

Vulnrichment

Updated: 2025-10-31T14:40:14.587Z

NVD

Status : Deferred

Published: 2025-10-31T07:15:37.427

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5397

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T18:45:06Z

Weaknesses

CWE-288

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object