Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NooTheme Jobmonster noo-jobmonster allows Blind SQL Injection.This issue affects Jobmonster: from n/a through < 4.8.4.
Published: 2026-03-25
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection that can expose or alter data
Action: Immediate Patch
AI Analysis

Impact

The NooTheme Jobmonster WordPress theme contains a blind SQL injection vulnerability caused by improper neutralization of special elements in SQL commands. This flaw allows an attacker to execute arbitrary SQL statements against the site database, potentially reading, modifying, or deleting data. The high CVSS score of 9.3 reflects the critical nature of this weakness.

Affected Systems

WordPress sites that use the NooTheme Jobmonster theme with a version earlier than 4.8.4 are affected. The issue does not apply to the theme’s newer releases.

Risk and Exploitability

The CVSS score indicates a critical severity, while the EPSS score of less than 1% suggests that exploit activity is currently low. The vulnerability is not yet listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can trigger the injection remotely through crafted HTTP requests sent to the theme’s job posting or form endpoints, a path that does not require elevated privileges or user interaction. The blind nature of the SQL injection permits data exfiltration or modification without visible feedback to the user.

Generated by OpenCVE AI on March 26, 2026 at 20:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NooTheme Jobmonster to version 4.8.4 or later
  • Verify that the update resolves the SQL injection by testing site database queries
  • If an upgrade cannot be performed immediately, remove or disable the older Jobmonster theme files to eliminate the attack surface
  • Optionally restrict the WordPress database user’s privileges to the minimum required

Generated by OpenCVE AI on March 26, 2026 at 20:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nootheme
Nootheme jobmonster
Wordpress
Wordpress wordpress
Vendors & Products Nootheme
Nootheme jobmonster
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NooTheme Jobmonster noo-jobmonster allows Blind SQL Injection.This issue affects Jobmonster: from n/a through < 4.8.4.
Title WordPress Jobmonster theme < 4.8.4 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Nootheme Jobmonster
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:08.647Z

Reserved: 2026-02-02T12:52:37.307Z

Link: CVE-2026-25340

cve-icon Vulnrichment

Updated: 2026-03-26T19:12:06.945Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:44.663

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25340

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:00Z

Weaknesses