CVE-2025-3918

Name of the Vulnerable Software and Affected Versions Job Listings plugin for WordPress versions 0.1 through 0.1.1

Description The Job Listings plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization within the register action() function. The plugin’s registration handler reads the client-supplied $ POST['user role'] and passes it directly to wp insert user() without restricting to a safe set of roles. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.

Recommendations For versions 0.1 through 0.1.1, consider disabling the register action() function until a patch is available. Restrict access to the wp insert user() function to minimize the risk of exploitation. Avoid using the user role parameter in the affected registration handler until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.