Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
7DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NooTheme Jobmonster noo-jobmonster allows Blind SQL Injection.This issue affects Jobmonster: from n/a through < 4.8.4.
AnalysisAI
A blind SQL injection vulnerability exists in the NooTheme Jobmonster WordPress theme that allows unauthenticated attackers to execute arbitrary SQL queries against the underlying database. The vulnerability affects Jobmonster versions prior to 4.8.4, and while no active exploitation in the wild has been confirmed via KEV status, the vulnerability was disclosed by Patchstack with sufficient technical detail to enable exploitation. This is a critical web application flaw that could lead to complete database compromise, including extraction of sensitive user data, credentials, and job postings.
Technical ContextAI
The vulnerability stems from improper neutralization of special SQL characters in user-supplied input, classified under CWE-89 (SQL Injection). The Jobmonster theme (cpe:2.3:a:nootheme:jobmonster) is a WordPress plugin/theme component that likely processes user input in database queries without adequate parameterized queries or input validation. Blind SQL injection specifically means the attacker cannot directly see query results but can infer database structure and contents through time-based or boolean-based side-channel techniques, making exploitation more complex but still feasible for skilled attackers. The root cause is the failure to use prepared statements or properly escape user input before incorporation into SQL commands.
RemediationAI
The primary remediation is to upgrade NooTheme Jobmonster to version 4.8.4 or later immediately. This patch version addresses the SQL injection vulnerability through input validation and parameterized query fixes. Instructions for upgrading can be found in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Theme/noo-jobmonster/vulnerability/wordpress-jobmonster-theme-4-8-4-sql-injection-vulnerability. Until patching is feasible, implement a Web Application Firewall (WAF) rule set to detect and block SQL injection patterns in POST and GET parameters targeting the Jobmonster plugin, restrict direct database user permissions to read-only where possible, monitor database query logs for anomalous activity, and consider temporarily disabling the Jobmonster theme if it is not actively in use. Database backups should be taken immediately to enable recovery if compromise is detected.
More in Jobmonster
View allIn the Noo JobMonster WordPress theme before 4.5.2.9 JobMonster there is a XSS vulnerability as the input for the search
The JobMonster Theme was vulnerable to Directory Listing in the /wp-content/uploads/jobmonster/ folder, as it did not in
Reflected cross-site scripting in the NooTheme Jobmonster WordPress job-board theme (versions up to and including 4.8.5)
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15651
GHSA-6r8c-pxcw-rm3r