Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-52806

CVE-2025-52806: JobSearch Plugin LFI Vulnerability

CVE-2025-52806 is a PHP local file inclusion vulnerability in the JobSearch WordPress plugin that allows attackers to include malicious files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-52806 Overview

CVE-2025-52806 is a PHP Local File Inclusion (LFI) vulnerability in the eyecix JobSearch (wp-jobsearch) WordPress plugin. The flaw stems from improper control of filenames used in PHP include/require statements, classified under [CWE-98]. Authenticated attackers with low privileges can supply attacker-controlled input that the plugin passes to a file inclusion function. This allows reading or executing arbitrary local PHP files on the server. The issue affects all wp-jobsearch versions up to and including 3.0.8.

Critical Impact

Successful exploitation can disclose sensitive server-side files, expose WordPress credentials in wp-config.php, and lead to remote code execution when combined with file upload primitives.

Affected Products

  • eyecix JobSearch (wp-jobsearch) WordPress plugin versions up to and including 3.0.8
  • WordPress sites running the JobSearch plugin with low-privileged user registration enabled
  • Multisite WordPress deployments where the plugin is network-activated

Discovery Timeline

  • 2025-08-14 - CVE-2025-52806 published to NVD
  • 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-52806

Vulnerability Analysis

The vulnerability resides in a PHP file inclusion routine within wp-jobsearch that accepts user-controlled input without proper validation against an allowlist. PHP file inclusion functions such as include, include_once, require, and require_once execute the contents of any file path passed to them. When attacker-influenced data reaches these functions, the attacker controls which file the PHP interpreter loads and runs. The CWE-98 classification confirms the root issue: improper control of filenames used in PHP include/require statements.

The vendor advisory documents this as a Local File Inclusion vector. Although the CWE title references Remote File Inclusion, the practical exploitation path on default PHP configurations is local because allow_url_include is typically disabled. Attackers can still traverse the filesystem with sequences like ../../../../ to access files outside the plugin directory.

Root Cause

The plugin builds a file path from request parameters and passes it to a PHP inclusion function without canonicalization or restriction to a known-safe directory. Missing validation against directory traversal sequences and missing extension checks combine to expose the inclusion sink to untrusted input.

Attack Vector

The attack is delivered over the network and requires low-privileged authentication, such as a subscriber account on a site that permits open user registration. An authenticated attacker sends a crafted HTTP request to a vulnerable endpoint provided by wp-jobsearch, supplying a manipulated parameter that resolves to a local file path. The PHP interpreter then includes that file, executing any PHP code it contains and returning file contents in the response when applicable.

No verified public exploit code is available for CVE-2025-52806. See the Patchstack Vulnerability Advisory for technical details.

Detection Methods for CVE-2025-52806

Indicators of Compromise

  • HTTP requests to wp-jobsearch endpoints containing directory traversal sequences such as ../, ..%2f, or URL-encoded null bytes (%00)
  • Unexpected access patterns to sensitive paths including wp-config.php, /etc/passwd, or /proc/self/environ originating from PHP worker processes
  • New or modified PHP files in the WordPress uploads directory referenced by include operations
  • Outbound network connections from the PHP-FPM or web server process to attacker-controlled infrastructure shortly after suspicious plugin requests

Detection Strategies

  • Inspect web server access logs for requests targeting wp-jobsearch action handlers that include path-like parameter values
  • Deploy a web application firewall (WAF) rule set that flags Local File Inclusion patterns against WordPress plugin endpoints
  • Monitor PHP error logs for include() and require() warnings referencing unexpected paths
  • Track installed plugin versions across the WordPress fleet and flag any wp-jobsearch install at or below version 3.0.8

Monitoring Recommendations

  • Enable file integrity monitoring on the WordPress document root and the wp-content/plugins/wp-jobsearch/ directory
  • Forward WordPress, PHP, and web server logs to a centralized logging platform for correlation and retention
  • Alert on authenticated low-privilege accounts performing high volumes of requests against plugin AJAX endpoints

How to Mitigate CVE-2025-52806

Immediate Actions Required

  • Update wp-jobsearch to a version above 3.0.8 as soon as a fixed release is available from eyecix
  • Audit WordPress user accounts and remove unused or unexpected low-privileged users
  • Disable open self-registration on sites that do not require it by unchecking Settings > General > Membership
  • Rotate WordPress database credentials and secret keys if exploitation is suspected, then review uploads for webshells

Patch Information

Review the Patchstack Vulnerability Advisory for the current patched version of wp-jobsearch. Apply the vendor-supplied update through the WordPress plugin manager or by replacing the plugin directory with the patched release. Confirm the installed version is greater than 3.0.8 after the update.

Workarounds

  • Deactivate and remove the wp-jobsearch plugin until a patched version is installed
  • Set allow_url_include = Off and allow_url_fopen = Off in php.ini to limit inclusion of remote resources
  • Apply a WAF virtual patch that blocks directory traversal sequences and absolute paths in wp-jobsearch request parameters
  • Restrict filesystem permissions so the PHP process cannot read sensitive files such as /etc/passwd or wp-config.php outside expected paths
bash
# Configuration example: harden php.ini against file inclusion abuse
allow_url_include = Off
allow_url_fopen = Off
open_basedir = "/var/www/html:/tmp"
disable_functions = "exec,passthru,shell_exec,system,proc_open,popen"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne