CVE-2025-2010: 
WordPress vulnerability analysis and mitigation

The JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin for WordPress contains a SQL Injection vulnerability (CVE-2025-2010) discovered in April 2025. The vulnerability affects all versions up to and including 2.3.9, where the 'jobwpuploadresume' parameter is susceptible to SQL injection attacks due to insufficient escaping of user input and inadequate SQL query preparation (NVD).

The vulnerability is classified as SQL Injection (CWE-89) with a CVSS v3.1 Base Score of 7.5 (HIGH). The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U) with high confidentiality impact (C:H) but no impact on integrity (I:N) or availability (A:N) (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries, potentially leading to the extraction of sensitive information from the database (NVD).

The vulnerability has been patched in version 2.4.0 of the plugin, which implements proper SQL query preparation using wpdb->prepare() instead of direct query concatenation (WordPress Plugin).