CVE-2025-1315
Published: 07 March 2025
Summary
CVE-2025-1315 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Sfwebservice Injob. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires verification of requester identity prior to authorizing authenticator resets, directly addressing the plugin's failure to validate user identity before password updates.
Limits permitted actions without identification or authentication, preventing unauthorized password resets for arbitrary users including administrators.
Mandates timely identification, reporting, and remediation of flaws like this plugin vulnerability, enabling patching or disabling to eliminate the privilege escalation risk.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin allows unauthenticated remote password changes on arbitrary accounts (including admins), directly enabling exploitation of public-facing apps (T1190), privilege escalation (T1068), and account manipulation via unauthorized password modification (T1098).
NVD Description
The InWave Jobs plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 3.5.1. This is due to the plugin not properly validating a user's identity prior to updating their password. This…
more
makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Deeper analysisAI
CVE-2025-1315 is a privilege escalation vulnerability in the InWave Jobs plugin for WordPress, affecting all versions up to and including 3.5.1. The issue stems from the plugin failing to properly validate a user's identity before allowing a password update, enabling unauthorized password changes. It has been assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-306 (Missing Authentication for Critical Function).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By targeting the password reset functionality, they can change the passwords of arbitrary users, including administrators, thereby gaining full unauthorized access to those accounts and potentially complete control over the affected WordPress site.
Advisories from Wordfence provide detailed threat intelligence on the vulnerability, including its ID e49c7b2a-5241-4762-b7c9-c33b1ac4a668. The plugin's page on ThemeForest offers additional context on the InWave Jobs component. No specific patch information is detailed in the available references, so site owners should review these sources for updates and consider disabling the plugin until remediation is confirmed.
Details
- CWE(s)