EMV JobCareer CVE-2025-69128
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Unauthenticated network-reachable path traversal in a WordPress theme; deletion of files outside the theme's directory justifies S:C and A:H, with no read or write-integrity primitive indicated.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in EMV JobCareer allows Path Traversal.
This issue affects JobCareer: from n/a through 7.3.
AnalysisAI
Path traversal in EMV JobCareer WordPress theme versions up to and including 7.3 allows remote unauthenticated attackers to delete arbitrary files outside the intended directory, leading to high availability impact with scope change. Reported by Patchstack and tracked under CWE-22, this flaw carries a CVSS 3.1 score of 8.6, though no public exploit identified at time of analysis. The Patchstack advisory characterizes this as an arbitrary file deletion vulnerability rather than a read primitive.
Technical ContextAI
EMV JobCareer is a commercial WordPress theme for job board sites, distributed through marketplaces and managed via the standard WordPress plugin/theme ecosystem. The underlying weakness is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), where user-supplied input - likely a filename or path parameter in an AJAX or admin-ajax endpoint exposed by the theme - is concatenated into a filesystem operation without normalizing or validating against a base directory. Combined with the Patchstack classification of 'arbitrary file deletion', the sink is almost certainly a PHP unlink() or equivalent file removal call reachable over HTTP. The single CPE 'cpe:2.3:a:emv:jobcareer:*:*:*:*:*:*:*:*' confirms scope is limited to the JobCareer theme itself, not core WordPress.
RemediationAI
No vendor-released patch identified at time of analysis - the Patchstack advisory documents the issue through version 7.3 without naming a fixed release. Monitor the EMV vendor channel and the Patchstack advisory (https://patchstack.com/database/wordpress/theme/jobcareer/vulnerability/wordpress-jobcareer-theme-7-3-arbitrary-file-deletion-vulnerability) for an updated theme version and upgrade as soon as one is published. As compensating controls until then, deploy a WAF rule (Patchstack, Wordfence, or equivalent) that blocks requests containing path traversal sequences such as '../' or encoded variants against the theme's admin-ajax and theme directory endpoints; tighten filesystem permissions so the PHP/web server user cannot delete wp-config.php, .htaccess, or files outside wp-content/uploads (this may break legitimate theme features that manage uploads); and restrict access to wp-admin/admin-ajax.php by IP allowlist where feasible - note that admin-ajax is also used by unauthenticated front-end actions, so blanket blocking will break site functionality.
The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. Ra
The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, an
The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, an
The JobCareer theme before 2.5.1 for WordPress has stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is r
The JobCareer | Job Board Responsive WordPress Theme theme for WordPress is vulnerable to unauthorized access, modificat
The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. Ra
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today