Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Unauthenticated network-reachable SQLi in a WordPress theme typically yields full read and write to the WordPress database (C:H/I:H); scope kept Unchanged as injection stays within the WP DB authorization boundary.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated SQL Injection in WPJobster <= 6.3.5 versions.
AnalysisAI
Unauthenticated SQL injection in the WPJobster WordPress theme versions 6.3.5 and earlier allows remote attackers to inject SQL queries without any authentication or user interaction. Reported by Patchstack and tracked under CWE-89, the issue carries a CVSS 3.1 score of 9.3 with a scope-changed impact, meaning a successful injection can affect resources beyond the vulnerable component. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default configurations of any WordPress site running the WPJobster theme version 6.3.5 or earlier, with no user interaction required (consistent with CVSS AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N is a worst-case exposure profile - remotely reachable, low complexity, no privileges, no user interaction - which aligns with an unauthenticated WordPress theme endpoint. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker discovers a WPJobster-powered job board via WordPress fingerprinting or theme detection, then issues a crafted HTTP request to a vulnerable endpoint with SQL payloads in a parameter that flows into a wpdb query. Using UNION-based or blind extraction techniques, the attacker exfiltrates the wp_users table (password hashes, emails) and any secrets stored in wp_options, enabling follow-on credential cracking and account takeover. |
| Remediation | No vendor-released patch identified at time of analysis from the provided data; site operators should monitor the Patchstack advisory (https://patchstack.com/database/wordpress/theme/wpjobster/vulnerability/wordpress-wpjobster-theme-6-3-5-sql-injection-vulnerability) and the theme vendor's changelog for a version above 6.3.5 and upgrade immediately when released. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Deactivate WPJobster theme versions 6.3.5 and earlier and switch to a patched alternative theme; update WordPress core, all plugins, and MySQL to latest stable versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37660