CVE-2026-25340
Published: 25 March 2026
Summary
CVE-2026-25340 is a critical-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-25340 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, specifically enabling Blind SQL Injection, in the NooTheme Jobmonster (noo-jobmonster) WordPress theme. This issue affects all versions of Jobmonster from n/a through those prior to 4.8.4. The vulnerability carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, changed scope, high confidentiality impact, and low availability impact. It is classified under CWE-89.
Remote unauthenticated attackers can exploit this vulnerability over the network without privileges or user interaction. By injecting malicious SQL payloads, attackers can conduct blind SQL injection attacks to extract sensitive data from the underlying database, achieving high confidentiality impact. The changed scope suggests potential effects beyond the vulnerable component, with minor availability disruption possible.
Patchstack advisories detail the vulnerability in the WordPress Jobmonster theme and recommend updating to version 4.8.4 or later, where the SQL injection flaw has been addressed. Security practitioners should verify theme versions on affected WordPress sites and apply the patch promptly to mitigate exploitation risks.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15651
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NooTheme Jobmonster noo-jobmonster allows Blind SQL Injection.This issue affects Jobmonster: from n/a through < 4.8.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Blind SQL injection in a publicly accessible WordPress theme directly enables remote exploitation of a public-facing web application (T1190) for unauthenticated data extraction from the backend database.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 enforces validation of all inputs at system entry points, directly preventing blind SQL injection by neutralizing special elements in SQL commands specific to this CVE.
SI-2 mandates timely identification, reporting, and correction of flaws, directly addressing this CVE through patching the Jobmonster theme to version 4.8.4 or later.
RA-5 requires vulnerability scanning and remediation, enabling proactive detection and patching of SQL injection vulnerabilities like CVE-2026-25340 in WordPress themes.