Critical WordPress Theme Flaw (CVE-2025-5397, CVSS 9.8) Under Active Exploitation Allows Unauthenticated Admin Takeover
Ddos 
An extremely severe security vulnerability has been discovered and is being actively exploited in the Jobmonster – Job Board WordPress Theme, a popular theme used by nearly 5.6k customers to connect employers and candidates.
The flaw, tracked as CVE-2025-5397 and assigned a maximum severity CVSS 9.8 score, allows any unauthenticated attacker to bypass the login process and gain access to administrative user accounts.
The vulnerability lies in a fundamental failure of the theme’s custom login functions, specifically when social login features are enabled.
The core issue is in the check_login() function, which does not properly verify a user’s identity before granting them authenticated access.
An attacker can exploit this weakness, classified as an Authentication Bypass Using an Alternate Path or Channel (CWE-288), with a simple network request.
The CVSS 9.8 score reflects the worst-case scenario: the attacker requires No Privileges (PR:N), the attack complexity is Low (AC:L), and the impact on Confidentiality (C:H), Integrity (I:H), and Availability (A:H) is High. This means an unauthenticated attacker can achieve a full website takeover.
The vulnerability is already under active assault in the wild. Wordfence reported blocking 1,640 attacks targeting this vulnerability in the past 24 hours alone.
Once administrative access is gained, attackers can manipulate all site content, exfiltrate job candidate data and employer secrets, install malicious files (like backdoors), and use the compromised server for malicious campaigns.
All administrators using the Jobmonster theme on their WordPress sites must check their theme version and update (8.4.2) immediately to prevent total site compromise.
If immediate patching is not possible, disable the theme’s social login feature as a temporary measure, although updating remains the only certain fix.
Related Posts:
- Warning: New Malvertising Campaign Uses Fake Cloudflare Pages to Deliver Malware
- Raspberry Pi Unveils $4 Radio Module 2: Bringing Wi-Fi 4 & Bluetooth 5.2 to Custom Boards
- Critical WordPress Vulnerability Patched: Remote Code Execution Possible
- Malicious AI Tool Ads: The Latest Conduit for Cybercriminal Exploitation
- Zoom Patches High-Risk Flaws on Windows Platforms and its Client SDK
Donate