Skip to main content

WPJobster EUVDEUVD-2026-37660

| CVE-2026-22340 CRITICAL
SQL Injection (CWE-89)
2026-06-17 Patchstack
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
9.1 CRITICAL

Unauthenticated network-reachable SQLi in a WordPress theme typically yields full read and write to the WordPress database (C:H/I:H); scope kept Unchanged as injection stays within the WP DB authorization boundary.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:30 vuln.today

DescriptionCVE.org

Unauthenticated SQL Injection in WPJobster <= 6.3.5 versions.

AnalysisAI

Unauthenticated SQL injection in the WPJobster WordPress theme versions 6.3.5 and earlier allows remote attackers to inject SQL queries without any authentication or user interaction. Reported by Patchstack and tracked under CWE-89, the issue carries a CVSS 3.1 score of 9.3 with a scope-changed impact, meaning a successful injection can affect resources beyond the vulnerable component. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Fingerprint WordPress site running WPJobster
Delivery
Identify vulnerable theme endpoint
Exploit
Send crafted request with SQL payload
Execution
Extract data via UNION or blind SQLi
Persist
Harvest credentials and secrets from database
Impact
Pivot to admin account takeover

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of any WordPress site running the WPJobster theme version 6.3.5 or earlier, with no user interaction required (consistent with CVSS AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N is a worst-case exposure profile - remotely reachable, low complexity, no privileges, no user interaction - which aligns with an unauthenticated WordPress theme endpoint. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker discovers a WPJobster-powered job board via WordPress fingerprinting or theme detection, then issues a crafted HTTP request to a vulnerable endpoint with SQL payloads in a parameter that flows into a wpdb query. Using UNION-based or blind extraction techniques, the attacker exfiltrates the wp_users table (password hashes, emails) and any secrets stored in wp_options, enabling follow-on credential cracking and account takeover.
Remediation No vendor-released patch identified at time of analysis from the provided data; site operators should monitor the Patchstack advisory (https://patchstack.com/database/wordpress/theme/wpjobster/vulnerability/wordpress-wpjobster-theme-6-3-5-sql-injection-vulnerability) and the theme vendor's changelog for a version above 6.3.5 and upgrade immediately when released. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Deactivate WPJobster theme versions 6.3.5 and earlier and switch to a patched alternative theme; update WordPress core, all plugins, and MySQL to latest stable versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37660 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy