CVE-2025-32146 – This vulnerability allows attackers to include ... (How to Fix)

Q: What is the severity of CVE-2025-32146?

CVE-2025-32146 has a CVSS score of 8.8 (HIGH). This vulnerability allows attackers to include local files on the server through improper input validation in JS Job Manager's PHP code. Attackers can read sensitive files like configuration files, potentially leading to further compromise. All WordPress sites running JS Job Manager versions up to 2.0.2 are affected.

📋 TL;DR

This vulnerability allows attackers to include local files on the server through improper input validation in JS Job Manager's PHP code. Attackers can read sensitive files like configuration files, potentially leading to further compromise. All WordPress sites running JS Job Manager versions up to 2.0.2 are affected.

💻 Affected Systems

Products:

JS Job Manager (WordPress plugin)

Versions: n/a through 2.0.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with JS Job Manager plugin enabled.

📦 What is this software?

Js Job Manager by Joomsky

View all CVEs affecting Js Job Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through reading sensitive configuration files (like wp-config.php) containing database credentials, followed by database takeover and potential remote code execution.

🟠

Likely Case

Information disclosure of sensitive files, potentially exposing database credentials, user data, or other configuration secrets.

🟢

If Mitigated

Limited impact if file permissions restrict access to sensitive files or if web server runs with minimal privileges.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple path traversal or file inclusion payloads can trigger the vulnerability without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.3 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/js-jobs/vulnerability/wordpress-js-job-manager-plugin-2-0-2-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find JS Job Manager and update to version 2.0.3 or later. 4. Verify update completes successfully.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable JS Job Manager plugin until patched

wp plugin deactivate js-jobs

Restrict file access via .htaccess

linux

Add rules to block file inclusion attempts

RewriteCond %{QUERY_STRING} (.*\.\./|.*\.php) [NC]
RewriteRule ^ - [F,L]

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block file inclusion patterns
Restrict web server permissions to prevent reading sensitive files

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for JS Job Manager version

Check Version:

wp plugin list --name=js-jobs --field=version

Verify Fix Applied:

Confirm plugin version is 2.0.3 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

HTTP requests with file inclusion patterns in query strings
Access to sensitive files like wp-config.php from web paths

Network Indicators:

Unusual file paths in HTTP GET parameters
Requests to plugin-specific endpoints with traversal sequences

SIEM Query:

web.url:*js-jobs* AND (web.query:*../* OR web.query:*.php*)

📊 Metadata

CVE ID: CVE-2025-32146

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

EPSS Score: 0.56% exploit probability (67.8th percentile)

Published: April 4, 2025

Last Updated: January 23, 2026

🔗 References

https://patchstack.com/database/wordpress/plugin/js-jobs/vulnerability/wordpress-js-job-manager-plugin-2-0-2-local-file-inclusion-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32146, you might also want to check these: