Jobmonster
Monthly
Reflected cross-site scripting in the NooTheme Jobmonster WordPress job-board theme (versions up to and including 4.8.5) lets remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the flaw carries a scope change (S:C), successful exploitation can affect resources beyond the vulnerable component, such as the authenticated WordPress session of an administrator who is lured into clicking. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
A blind SQL injection vulnerability exists in the NooTheme Jobmonster WordPress theme that allows unauthenticated attackers to execute arbitrary SQL queries against the underlying database. The vulnerability affects Jobmonster versions prior to 4.8.4, and while no active exploitation in the wild has been confirmed via KEV status, the vulnerability was disclosed by Patchstack with sufficient technical detail to enable exploitation. This is a critical web application flaw that could lead to complete database compromise, including extraction of sensitive user data, credentials, and job postings.
In the Noo JobMonster WordPress theme before 4.5.2.9 JobMonster there is a XSS vulnerability as the input for the search form is provided through unsanitized GET requests. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The JobMonster Theme was vulnerable to Directory Listing in the /wp-content/uploads/jobmonster/ folder, as it did not include a default PHP file, or .htaccess file. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Reflected cross-site scripting in the NooTheme Jobmonster WordPress job-board theme (versions up to and including 4.8.5) lets remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the flaw carries a scope change (S:C), successful exploitation can affect resources beyond the vulnerable component, such as the authenticated WordPress session of an administrator who is lured into clicking. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
A blind SQL injection vulnerability exists in the NooTheme Jobmonster WordPress theme that allows unauthenticated attackers to execute arbitrary SQL queries against the underlying database. The vulnerability affects Jobmonster versions prior to 4.8.4, and while no active exploitation in the wild has been confirmed via KEV status, the vulnerability was disclosed by Patchstack with sufficient technical detail to enable exploitation. This is a critical web application flaw that could lead to complete database compromise, including extraction of sensitive user data, credentials, and job postings.
In the Noo JobMonster WordPress theme before 4.5.2.9 JobMonster there is a XSS vulnerability as the input for the search form is provided through unsanitized GET requests. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The JobMonster Theme was vulnerable to Directory Listing in the /wp-content/uploads/jobmonster/ folder, as it did not include a default PHP file, or .htaccess file. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.