"Hackers are actively exploiting a serious security vulnerability in the popular JobMonster WordPress theme. The vulnerability allows attackers to take over administrator accounts under specific circumstances, giving them complete control over affected websites. The vulnerability, registered as CVE-2025-5397, received a risk score of 9.8 out of 10. The problem is present in all versions of the theme up to and including 4.8.1."
"The security company Wordfence discovered the attacks after blocking several attempts at abuse in a short period of time. According to the researchers, these are targeted attacks on websites where JobMonster's social login function is enabled. This feature allows users to log in with existing accounts from, for example, Google, Facebook, or LinkedIn. However, the theme trusts these external login credentials without sufficiently verifying them, allowing malicious parties to bypass the procedure and obtain administrator rights."
"Once that information is known, the flaw can be exploited to gain access to the website's administrator dashboard. Vulnerability now fixed The developer of JobMonster, NooThemes, has now fixed the vulnerability in version 4.8.2 of the theme. Users are strongly advised to update to this version as soon as possible to prevent abuse. Those who are unable to upgrade immediately can temporarily limit the risk by disabling the social login option."
A severe authentication vulnerability in the JobMonster WordPress theme (CVE-2025-5397, 9.8 CVSS) exists in all versions up to 4.8.1. The bug in the user authentication function fails to properly verify identities for social logins, allowing attackers to bypass verification and, in some cases, log in as administrators without valid credentials. Successful exploitation often requires knowledge of an administrator's username or email. Wordfence observed targeted attack attempts against sites with social login enabled. The developer released version 4.8.2 to fix the flaw. Temporary mitigations include disabling social login, enabling two-factor authentication, changing passwords, and reviewing access logs.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]