Attackers exploit critical bypass flaw in WordPress JobMonster theme

An authentication bypass flaw that makes it possible for attackers to run past standard authentication and access administrative user accounts was exploited in the JobMonster theme for WordPress.

Security pros said the main concerns around the flaw rated 9.8 — CVE-2025-5397 — was that it could trigger broad risk: from stolen résumés and recruiter data to impersonation scams launched through hijacked job listings. JobMonster was listed as having more than 5,600 sales on the ThemeForest marketplace, an indication that there are many more thousands of users.

"The primary critical risk posed by the JobMonster scenario is the exposure of high-value PII [personally identifiable information] on these job platforms, resulting in potential long term identity fraud for the compromised users and potentially severe regulatory penalties for the organization,” said MacKenzie Brown, vice president of the Adversary Pursuit Group at Blackpoint Cyber.

Brown said security teams must focus on a patching strategy for these types of vulnerabilities, and even if urgent patching isn’t possible, they need to disable the social login function to stop active exploitation and post exploitation risk.

“Overall, this event highlights that modern attackers use seemingly minor third-party components as pivot points to bypass great perimeter defense and gain a foothold,” said Brown.

Shane Barney, chief information security officer at Keeper Security, said organizations should treat this case as an emergency patching priority by updating to version 4.8.2, disabling social login until remediation is complete, and auditing administrative accounts for unauthorized activity.

“For job boards and recruitment platforms, the impact extends well beyond reputational damage,” said Barney. “A breach can expose names, email addresses, phone numbers, résumés and employment histories — data that can be weaponized for identity theft, phishing and social-engineering campaigns against job seekers and employers alike.”

Jeff Liford, associate director at Fenix24, said recruitment platforms aren’t just informational websites, they’re funnels for personal data. Liford pointed out that a takeover of a recruitment portal hands that threat actor a warehouse of resumes, communication details, employment history, and sometimes even government-issued identification or Social Security numbers.

“That data fuels identity theft, loan fraud, and highly personalized and convincing scams,” said Liford. “Site operators should update systems immediately, enforce MFA for administrative access, and continuously monitor and audit access logs. Any sign of unauthorized administrative access should be treated as a potential data breach.”