Cyber Resilience

CVE-2026-25340

Critical

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.0028 19.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25340 is a critical-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25340 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, specifically enabling Blind SQL Injection, in the NooTheme Jobmonster (noo-jobmonster) WordPress theme. This issue affects all versions of Jobmonster from n/a through those prior to 4.8.4. The vulnerability carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, changed scope, high confidentiality impact, and low availability impact. It is classified under CWE-89.

Remote unauthenticated attackers can exploit this vulnerability over the network without privileges or user interaction. By injecting malicious SQL payloads, attackers can conduct blind SQL injection attacks to extract sensitive data from the underlying database, achieving high confidentiality impact. The changed scope suggests potential effects beyond the vulnerable component, with minor availability disruption possible.

Patchstack advisories detail the vulnerability in the WordPress Jobmonster theme and recommend updating to version 4.8.4 or later, where the SQL injection flaw has been addressed. Security practitioners should verify theme versions on affected WordPress sites and apply the patch promptly to mitigate exploitation risks.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NooTheme Jobmonster noo-jobmonster allows Blind SQL Injection.This issue affects Jobmonster: from n/a through < 4.8.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Blind SQL injection in a publicly accessible WordPress theme directly enables remote exploitation of a public-facing web application (T1190) for unauthenticated data extraction from the backend database.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 enforces validation of all inputs at system entry points, directly preventing blind SQL injection by neutralizing special elements in SQL commands specific to this CVE.

prevent

SI-2 mandates timely identification, reporting, and correction of flaws, directly addressing this CVE through patching the Jobmonster theme to version 4.8.4 or later.

preventdetect

RA-5 requires vulnerability scanning and remediation, enabling proactive detection and patching of SQL injection vulnerabilities like CVE-2026-25340 in WordPress themes.

References