CVE-2025-32146 HIGH

CVE-2025-32146: WordPress JS Job Manager plugin <= 2.0.2 - Local File Inclusion vulnerability

Vendor Joomsky
Product JS Job Manager
Weakness CWE-98 · PHP file inclusion
Published April 4, 2025
Last update April 28, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JoomSky JS Job Manager js-jobs allows PHP Local File Inclusion.This issue affects JS Job Manager: from n/a through <= 2.0.2.

Explanation of Vulnerability in Simple Terms

02Summary

JS Job Manager versions 2.0.2 and earlier contain a code injection vulnerability that allows authenticated users with low privileges to execute arbitrary code on the site. The vulnerability requires network access and an active user account but no additional user interaction. This affects the confidentiality, integrity, and availability of the entire site.

What an attacker can do

03Attacker Capabilities

Run arbitrary code on the site with full access to the database and file system.

Potential impact on your site

04Site Impact

Any registered user can compromise the entire site, steal data, modify content, or take the site offline.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site; network access to the site.

Key dates

06Disclosure timeline

April 4, 2025 CVE published
April 28, 2026 Record updated