Jobs for WordPress < 2.7.12 – Authenticated (Subscriber+) Arbitrary File Read | CVE 2025-1310 | Plugin Vulnerabilities

Description

The Jobs for WordPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.7.11 via the 'job_postings_get_file' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Affects Plugins

Fixed in 2.7.12

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/408312d3-9a9e-4b6b-9991-aee6b77745b2

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Arkadiusz Hydzik

Verified

No

WPVDB ID

5181b938-315d-41b0-9589-abc289235003

Timeline

Publicly Published

2025-03-25 (about 1 year ago)

Added

2025-03-25 (about 1 year ago)

Last Updated

2025-03-26 (about 1 year ago)

Other

Published

Title

Published

2015-06-10

Title

RobotCPA Plugin V5 - Unauthenticated Local File Inclusion

Published

2026-04-01

Title

MW WP Form < 5.1.1 - Unauthenticated Arbitrary File Move via move_temp_file_to_upload_dir

Published

2024-04-25

Title

XStore Core <= 5.3.5 - Authenticated (Subscriber+) Limited Arbitrary File Download

Published

2025-10-30

Title

WooCommerce Designer Pro < 1.9.31 - Unauthenticated Arbitrary File Read

Published

2018-01-08

Title

Media from FTP <= 9.84 - Authenticated Directory Traversal