SQL Injection Vulnerability in JobWP Plugin for WordPress
CVE-2025-2010

7.5HIGH

What is CVE-2025-2010?

CVE-2025-2010 is a security vulnerability found in the JobWP Plugin, which is designed for WordPress to facilitate job board creation, job listings, career pages, and recruitment processes. This vulnerability is characterized as an SQL injection flaw that affects all versions of the plugin up to and including 2.3.9. The primary issue arises from inadequate escaping of user-supplied input in the 'jobwp_upload_resume' parameter and insufficient preparation of the corresponding SQL query. As a result, unauthenticated attackers could exploit this weakness to inject additional SQL queries into existing ones, enabling them to extract sensitive information from the database. This exploitation could have serious repercussions for organizations relying on the plugin for their recruitment needs, including data leakage and unauthorized access to sensitive information.

Potential impact of CVE-2025-2010

  1. Data Exposure: Unauthenticated attackers could access sensitive data stored in the database, leading to potential data breaches that can compromise personal information of applicants and employees, as well as proprietary business data.

  2. Unauthorized Access: The ability to manipulate SQL queries may allow attackers to gain unauthorized access to critical areas of the web application, which could lead to further exploits, such as privilege escalation or system compromise.

  3. Reputational Damage: Organizations impacted by this vulnerability could suffer significant reputational harm, as the exposure of sensitive data and the subsequent loss of customer trust can adversely affect business operations and customer relationships.

Affected Version(s)

JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin * <= 2.3.9

References

EPSS Score

16% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Matthew Rollings
.
CVE-2025-2010 : SQL Injection Vulnerability in JobWP Plugin for WordPress