CVE-2025-1315

CVE-2025-1315 is a privilege escalation vulnerability in the InWave Jobs plugin for WordPress, affecting all versions up to and including 3.5.1. The issue stems from the plugin failing to properly validate a user's identity before allowing a password update, enabling unauthorized password changes. It has been assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-306 (Missing Authentication for Critical Function).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By targeting the password reset functionality, they can change the passwords of arbitrary users, including administrators, thereby gaining full unauthorized access to those accounts and potentially complete control over the affected WordPress site.

Advisories from Wordfence provide detailed threat intelligence on the vulnerability, including its ID e49c7b2a-5241-4762-b7c9-c33b1ac4a668. The plugin's page on ThemeForest offers additional context on the InWave Jobs component. No specific patch information is detailed in the available references, so site owners should review these sources for updates and consider disabling the plugin until remediation is confirmed.