CVE-2025-47438: 
WordPress vulnerability analysis and mitigation

CVE-2025-47438 is a Local File Inclusion vulnerability affecting the WordPress WP Job Portal plugin versions up to 2.3.1. The vulnerability was discovered by Trương Hữu Phúc and publicly disclosed on May 8, 2025. This security flaw is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (High), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue is categorized under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The vulnerability allows for PHP Local File Inclusion and can be exploited without authentication (NVD, Patchstack).

This vulnerability is considered highly dangerous and expected to become mass exploited. It could allow malicious actors to include local files of the target website and display their contents. Particularly concerning is the potential access to files containing sensitive information such as database credentials, which could lead to complete database compromise depending on the configuration (Patchstack).

Users are advised to update to WP Job Portal version 2.3.2 or later, which contains the fix for this vulnerability. For immediate protection, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).