Threat actors are actively exploiting a critical vulnerability in the JobMonster WordPress theme that could allow them to hijack administrator accounts under certain conditions.
The issue, tracked as CVE-2025-5397, was discovered by the security firm Wordfence, which reported blocking multiple exploit attempts within the past 24 hours. JobMonster, developed by NooThemes, is a premium WordPress theme widely used for job listing and recruitment websites, with more than 5,500 sales on Envato.
The vulnerability, which has a critical severity score of 9.8, stems from an authentication bypass flaw affecting all versions of the theme up to 4.8.1. According to the flaw description, the check_login() function fails to properly verify user identities, allowing attackers to bypass standard authentication and gain access to administrative accounts.
To exploit this bug, the social login feature must be enabled. This feature lets users sign in with existing social media accounts like Google, Facebook, or LinkedIn. However, JobMonster fails to properly validate external login data, which means hackers can spoof admin access without valid credentials—though they still need to know the target admin’s username or email.
The vulnerability has been fixed in JobMonster version 4.8.2, which is now the latest release. Users are strongly urged to update immediately. If updating isn’t possible, it’s advised to disable the social login function temporarily. Enabling two-factor authentication, rotating admin credentials, and checking access logs for unusual activity are also recommended steps.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
