CVE-2025-62025
Published: 22 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-62025 is a Deserialization of Untrusted Data vulnerability (CWE-502), also known as PHP object injection, in the eyecix JobSearch WordPress plugin (wp-jobsearch). This issue affects all versions of the plugin from its initial release through those prior to 3.0.8. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for severe impact across confidentiality, integrity, and availability.
A remote attacker requires no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation could allow the attacker to achieve high-impact outcomes, including unauthorized data access, modification of system data, or disruption of service, depending on the deserialization gadgets available in the environment.
Patchstack's advisory confirms the vulnerability and states that it is fixed in version 3.0.8 of the wp-jobsearch plugin. Security practitioners should urge WordPress site administrators to update to version 3.0.8 or later immediately, verify installations via the plugin dashboard, and monitor for indicators of compromise in affected versions.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Deserialization of Untrusted Data (PHP object injection) in a public-facing WordPress plugin enables remote exploitation without authentication or privileges, directly mapping to Exploit Public-Facing Application.