External risk intelligence

WPJobster Unauthenticated SQL Injection

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-22340

An unauthenticated SQL injection vulnerability exists in the WPJobster WordPress theme. If reachable, an attacker could send malicious SQL queries to access or modify sensitive data, impacting database integrity and availability. It is important to determine if this theme and version are in use within your web presence

SQL Injection

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

The vulnerability affects a WordPress theme, which by design powers public-facing websites. SQL injection in such components is commonly reachable via the internet as part of the standard web application request handling process.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability impacting the WPJobster WordPress theme. The flaw, an unauthenticated SQL injection, allows an attacker to potentially access or manipulate data within your WordPress installations. The primary concern is to confirm if this specific theme and version are in use, as a compromise could expose sensitive information.

  • Unauthenticated SQL injection in a WordPress theme.
  • Confirms if your WordPress theme is affected.
  • Assess exposure and confirm relevance.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a crafted SQL query to a vulnerable WordPress site using the WPJobster theme. This occurs because the application does not properly sanitize user input before incorporating it into database queries. Successful exploitation could allow an attacker to extract sensitive data from the database or potentially perform other unauthorized actions.

  • No authentication required.
  • Malicious SQL query sent to the site.
  • Sensitive data exposure and system disruption.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to inject malicious SQL queries into the system. This may occur when specific user inputs are not properly sanitized, potentially leading to unauthorized access or modification of data related to the WPJobster plugin.

  • Database integrity and availability.
  • Malicious SQL queries can be injected.
  • Unauthorized data access or modification.

Operational Fix

Recommended remediation, mitigation, and detection steps

This unauthenticated SQL injection vulnerability in WPJobster could allow an attacker to compromise your data. The first step is to identify all instances of WPJobster across your web presence, determine their reachability and business criticality, and then assign ownership for remediation.

  • Identify WPJobster installations and owners.
  • Verify external accessibility and business impact.
  • Plan and execute remediation based on risk.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-22340 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This SQL injection vulnerability in WPJobster allows unauthenticated attackers to access sensitive database information, potentially leading to a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the WPJobster theme?

WPJobster is a WordPress theme designed to facilitate service marketplace functionality. It manages the front-end user experience and handles back-end database operations required to display and process job listings for site visitors.

How does CWE-89 relate to this SQL injection issue?

This vulnerability is classified under CWE-89, which occurs when an application fails to properly neutralize user-supplied input before incorporating it into database queries. This flaw enables attackers to append unauthorized SQL commands, potentially gaining access to the underlying database.

How is this SQL injection triggered without user credentials?

The vulnerability is triggered when a crafted SQL query is sent to a public-facing endpoint handled by the WPJobster theme. Because the theme does not sanitize this input, the query is executed by the server without requiring any administrative or user-level authentication.

Why is this WPJobster flaw considered a relevant risk?

As noted in the Halo Surface Signal, this vulnerability affects a theme built for public-facing websites, making it highly reachable over the network. Its presence in standard request handling increases the likelihood of unauthorized database access.

What steps should be taken to address this vulnerability?

To manage this risk, identify all active instances of the WPJobster theme within your environment. Once mapped, assess their external accessibility and business impact to prioritize remediation efforts and assign clear ownership for resolving the vulnerability.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished