CVE-2025-1310: 
WordPress vulnerability analysis and mitigation

The Jobs for WordPress plugin is affected by a Directory Traversal vulnerability (CVE-2025-1310) in versions up to and including 2.7.11. The vulnerability was discovered and disclosed on March 26, 2025, affecting the 'jobpostingsget_file' parameter. This security issue allows authenticated attackers with Subscriber-level access or higher to read arbitrary files on the server (NVD).

The vulnerability exists in the file handling mechanism of the Jobs for WordPress plugin, specifically in the 'jobpostingsget_file' parameter. The issue stems from improper validation of file paths, allowing directory traversal attacks. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The weakness is classified as CWE-22: Improper Limitation of a Pathname to a Restricted Directory (NVD).

The vulnerability allows authenticated attackers to read the contents of arbitrary files on the server. This access could expose sensitive information stored in server files, potentially leading to further system compromise. The attack requires authentication with at least Subscriber-level access, which somewhat limits the potential impact (NVD).

The vulnerability has been patched in version 2.7.12 of the Jobs for WordPress plugin. The fix includes implementing proper file path sanitization using basename() and sanitizefilename() functions, along with additional path verification using realpath() to prevent directory traversal attacks (WordPress Plugin).