JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin Security & Risk Analysis

The jobwp plugin v2.4.7 presents a mixed security posture. While the static analysis indicates a relatively small attack surface with no immediately identified unprotected entry points, and a decent number of nonce and capability checks, there are significant concerns. The presence of the `unserialize` dangerous function raises immediate red flags, as it's a common vector for Remote Code Execution vulnerabilities if not handled with extreme care and sanitization. The taint analysis, though limited in scope, did reveal one flow with an unsanitized path, which warrants further investigation. The plugin's vulnerability history is particularly alarming, with a total of 7 known CVEs, including past critical and high-severity issues like Cross-Site Scripting, SQL Injection, and Unrestricted File Uploads. The fact that the last vulnerability was reported in January 2026, and the current version is v2.4.7, suggests that the plugin may have a history of security flaws that could reappear or be reintroduced in future versions, even if currently unpatched vulnerabilities are zero. This history indicates a pattern of potentially weak security practices in its development lifecycle.

Despite the positive signals like the use of prepared statements for a majority of SQL queries and a good number of outputs, the identified dangerous functions, a taint flow with unsanitized input, and the extensive past vulnerability record collectively point to a moderate to high-risk plugin. The absence of any reported critical issues in the current static analysis is a positive sign, but the historical context and the presence of `unserialize` suggest that users should exercise caution and ensure they are running the absolute latest version of the plugin and have appropriate security measures in place.