High

CVE-2025-5397 CVSS:9.8

The Noo JobMonster theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.8.1. This is due to the check_login() function not properly verifying a user's identity prior to successfully authenticating them. This makes it possible for unauthenticated attackers to bypass standard authentication and access administrative user accounts. Please note social login needs to be enabled in order for a site to be impacted by this vulnerability.

CVE-2025-7846 CVSS:8.8

The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the save_fields() function in all versions up to, and including, 16.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CVE-2025-8900 CVSS:9.8

Dreams Technologies Doccure Core plugin for WordPress could allow a remote attacker to gain elevated privileges on the system, caused by a flaw with allowing users who are registering new accounts to set their own role or by supplying user_type field

CVE-2025-8489 CVSS:9.8

The King Addons for Elementor – Free Elements, Widgets, Templates, and Features for the Elementor Plugin for WordPress could allow a remote authenticated attacker to gain elevated privileges on the system, due to improperly restricting the roles users can register with.

Impact