CVE-2025-3918
Job Listings 0.1 - 0.1.1 - Unauthenticated Privilege Escalation via register_action Function
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Job Listings 0.1 - 0.1.1 - Unauthenticated Privilege Escalation via register_action Function
The Job Listings plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization within the register_action() function in versions 0.1 to 0.1.1. The plugin’s registration handler reads the client-supplied $_POST['user_role'] and passes it directly to wp_insert_user() without restricting to a safe set of roles. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.
Reserved 2025-04-24 | Published 2025-05-03 | Updated 2025-05-06 | Assigner WordfenceCWE-285 Improper Authorization
| 2025-05-02: | Disclosed |
Kenneth Dunn
www.wordfence.com/...-c3d0-4eb2-9c18-1af2edca37ff?source=cve
plugins.trac.wordpress.org/...orms/class-jlt-form-member.php
wordpress.org/plugins/job-listings/
Support options
