Security researchers reported active exploitation attempts against a critical authentication bypass in the JobMonster WordPress theme that can allow attackers to hijack administrator accounts under certain conditions. The activity was detected after multiple exploit attempts were blocked against Wordfence clients over a 24-hour period.
JobMonster, developed by NooThemes and used for job listing sites and recruitment portals, has more than 5,500 sales on Envato. The vulnerability is tracked as CVE-2025-5397 and carries a critical severity score of 9.8; it affects all theme versions up to 4.8.1.
Wordfence said the flaw stems from the theme’s check_login() function not properly verifying user identity prior to authentication; the firm’s advisory reads the flaw’s description and notes this can enable unauthenticated attackers to bypass normal authentication and access administrative accounts.
Exploitation requires that social login be enabled on affected sites because JobMonster trusts external login data without adequate verification, allowing attackers to forge administrative access without valid credentials. Attackers typically also need the target administrator’s username or email. The issue was fixed in JobMonster version 4.8.2, and site operators are advised to update immediately or, if that is not possible, disable social login, enable two-factor authentication for administrator accounts, rotate credentials and review access logs for suspicious activity.
Theme-related vulnerabilities have been a frequent target recently. Last week Wordfence reported malicious activity targeting the Freeio premium theme via CVE-2025-11533, and earlier incidents involving other themes allowed attackers to gain administrative access or remote code execution, with defenders reporting large numbers of blocked attempts in some cases.
Site operators should apply the 4.8.2 update as a priority; Wordfence has blocked multiple attempts but has not provided a total count of successfully compromised sites. The article also included a link to a free cheat sheet on MCP best practices: 7 Security Best Practices for MCP.