Skip to main content

EMV JobCareer CVE-2025-69128

HIGH
Path Traversal (CWE-22)
2026-06-17 Patchstack
8.6
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
vuln.today AI
8.6 HIGH

Unauthenticated network-reachable path traversal in a WordPress theme; deletion of files outside the theme's directory justifies S:C and A:H, with no read or write-integrity primitive indicated.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 14:44 vuln.today

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in EMV JobCareer allows Path Traversal.

This issue affects JobCareer: from n/a through 7.3.

AnalysisAI

Path traversal in EMV JobCareer WordPress theme versions up to and including 7.3 allows remote unauthenticated attackers to delete arbitrary files outside the intended directory, leading to high availability impact with scope change. Reported by Patchstack and tracked under CWE-22, this flaw carries a CVSS 3.1 score of 8.6, though no public exploit identified at time of analysis. The Patchstack advisory characterizes this as an arbitrary file deletion vulnerability rather than a read primitive.

Technical ContextAI

EMV JobCareer is a commercial WordPress theme for job board sites, distributed through marketplaces and managed via the standard WordPress plugin/theme ecosystem. The underlying weakness is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), where user-supplied input - likely a filename or path parameter in an AJAX or admin-ajax endpoint exposed by the theme - is concatenated into a filesystem operation without normalizing or validating against a base directory. Combined with the Patchstack classification of 'arbitrary file deletion', the sink is almost certainly a PHP unlink() or equivalent file removal call reachable over HTTP. The single CPE 'cpe:2.3:a:emv:jobcareer:*:*:*:*:*:*:*:*' confirms scope is limited to the JobCareer theme itself, not core WordPress.

RemediationAI

No vendor-released patch identified at time of analysis - the Patchstack advisory documents the issue through version 7.3 without naming a fixed release. Monitor the EMV vendor channel and the Patchstack advisory (https://patchstack.com/database/wordpress/theme/jobcareer/vulnerability/wordpress-jobcareer-theme-7-3-arbitrary-file-deletion-vulnerability) for an updated theme version and upgrade as soon as one is published. As compensating controls until then, deploy a WAF rule (Patchstack, Wordfence, or equivalent) that blocks requests containing path traversal sequences such as '../' or encoded variants against the theme's admin-ajax and theme directory endpoints; tighten filesystem permissions so the PHP/web server user cannot delete wp-config.php, .htaccess, or files outside wp-content/uploads (this may break legitimate theme features that manage uploads); and restrict access to wp-admin/admin-ajax.php by IP allowlist where feasible - note that admin-ajax is also used by unauthenticated front-end actions, so blanket blocking will break site functionality.

Share

CVE-2025-69128 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy