Vulnerability Description
The Job Listings plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization within the register_action() function in versions 0.1 to 0.1.1. The plugin’s registration handler reads the client-supplied $_POST['user_role'] and passes it directly to wp_insert_user() without restricting to a safe set of roles. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/job-listings/trunk/includes/forms/cla
- https://wordpress.org/plugins/job-listings/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c9cd43f5-c3d0-4eb2-9c1
FAQ
What is CVE-2025-3918?
CVE-2025-3918 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Job Listings plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization within the register_action() function in versions 0.1 to 0.1.1. The plugin’s registration hand...
How severe is CVE-2025-3918?
CVE-2025-3918 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-3918?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.