CVE-2025-3918: 
WordPress vulnerability analysis and mitigation

The Job Listings plugin for WordPress contains a Privilege Escalation vulnerability (CVE-2025-3918) discovered and disclosed on May 2, 2025. The vulnerability affects versions 0.1 to 0.1.1 of the plugin and is related to improper authorization within the register_action() function. The plugin has been temporarily closed since May 1, 2025, pending a full security review (NVD CVE, WordPress Plugin).

The vulnerability stems from improper authorization in the registeraction() function where the plugin's registration handler reads the client-supplied $POST['userrole'] parameter and passes it directly to wpinsert_user() without restricting to a safe set of roles. This implementation flaw has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-285 (Improper Authorization) (NVD CVE).

The vulnerability allows unauthenticated attackers to elevate their privileges to that of an administrator, potentially gaining full control over the WordPress installation. This could lead to complete site compromise, as administrator accounts have the highest level of access in WordPress installations (NVD CVE).

The Job Listings plugin has been temporarily closed as of May 1, 2025, pending a full security review. Users are advised to disable and remove the plugin until a patched version is released (WordPress Plugin).