Skip to main content

Jobmonster CVE-2026-25340

| EUVDEUVD-2026-15651 CRITICAL
SQL Injection (CWE-89)
2026-03-25 Patchstack GHSA-6r8c-pxcw-rm3r
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:48 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
4.8.4
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15651
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
CRITICAL 9.3

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NooTheme Jobmonster noo-jobmonster allows Blind SQL Injection.This issue affects Jobmonster: from n/a through < 4.8.4.

AnalysisAI

A blind SQL injection vulnerability exists in the NooTheme Jobmonster WordPress theme that allows unauthenticated attackers to execute arbitrary SQL queries against the underlying database. The vulnerability affects Jobmonster versions prior to 4.8.4, and while no active exploitation in the wild has been confirmed via KEV status, the vulnerability was disclosed by Patchstack with sufficient technical detail to enable exploitation. This is a critical web application flaw that could lead to complete database compromise, including extraction of sensitive user data, credentials, and job postings.

Technical ContextAI

The vulnerability stems from improper neutralization of special SQL characters in user-supplied input, classified under CWE-89 (SQL Injection). The Jobmonster theme (cpe:2.3:a:nootheme:jobmonster) is a WordPress plugin/theme component that likely processes user input in database queries without adequate parameterized queries or input validation. Blind SQL injection specifically means the attacker cannot directly see query results but can infer database structure and contents through time-based or boolean-based side-channel techniques, making exploitation more complex but still feasible for skilled attackers. The root cause is the failure to use prepared statements or properly escape user input before incorporation into SQL commands.

RemediationAI

The primary remediation is to upgrade NooTheme Jobmonster to version 4.8.4 or later immediately. This patch version addresses the SQL injection vulnerability through input validation and parameterized query fixes. Instructions for upgrading can be found in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Theme/noo-jobmonster/vulnerability/wordpress-jobmonster-theme-4-8-4-sql-injection-vulnerability. Until patching is feasible, implement a Web Application Firewall (WAF) rule set to detect and block SQL injection patterns in POST and GET parameters targeting the Jobmonster plugin, restrict direct database user permissions to read-only where possible, monitor database query logs for anomalous activity, and consider temporarily disabling the Jobmonster theme if it is not actively in use. Database backups should be taken immediately to enable recovery if compromise is detected.

Share

CVE-2026-25340 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy