CVE-2025-32146: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-32146) was discovered in JoomSky JS Job Manager WordPress plugin versions through 2.0.2. The vulnerability was reported by Trương Hữu Phúc on February 8, 2025, and was publicly disclosed on April 4, 2025. The vulnerability stems from improper control of filename for Include/Require Statement in PHP Program, classified as CWE-98 (NVD, Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability requires Contributor or higher level privileges to exploit. The issue is categorized under the OWASP Top 10 category A3: Injection (Patchstack).

This vulnerability could allow a malicious actor to include local files of the target website and display their contents. Particularly sensitive files containing credentials, such as database configuration files, could be exposed, potentially leading to complete database compromise depending on the system configuration (Patchstack).

Currently, there is no official fix available for this vulnerability. The issue affects versions through 2.0.2, and no patched version has been released at this time (Patchstack).