CVE-2026-22340: WordPress WPJobster theme <= 6.3.5 - SQL Injection vulnerability
Unauthenticated SQL Injection in WPJobster <= 6.3.5 versions.
Metrics
- CVSS v3.1
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated SQL injection vulnerability affects the WPJobster WordPress theme at version 6.3.5 and below. The flaw is reachable over the network without any login or account, and it uses a changed scope (S:C), meaning the database server outside the theme itself can be impacted. Successful exploitation allows an attacker to read sensitive data from the database and cause limited service disruption. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-22340 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images in registries and CI/CD pipelines. Coverage extends to custom-built images that bundle the WPJobster theme, not just official upstream images.
AvailableTriage is available using the CVSS 3.1 base score of 9.3 (Critical), weighted further by each customer environment's compliance policy to determine urgency and escalation path. Findings are routable to the appropriate team inbox within each customer org based on image ownership and policy configuration.
AvailableBecause no upstream fix version has been published for CVE-2026-22340, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once an upstream patch exists.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS from any internet-adjacent position.
- AuthenticationNot required
No account or credentials of any kind are needed; the injection is reachable by any unauthenticated HTTP request.
- Victim interactionNot required
No user action or social engineering is required; the attacker sends a crafted request directly to the server.
- Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites.
Blast Radius
- Attacker reads arbitrary database contents, including stored user credentials, session tokens, personal information, and any other data accessible to the database user.
- The changed scope (S:C) means the SQL injection can affect the underlying database server beyond the WordPress application boundary, potentially reaching data belonging to other applications sharing the same database instance.
- Limited availability impact allows the attacker to degrade or partially disrupt database responsiveness, affecting site functionality for legitimate users.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix for CVE-2026-22340 currently exists, HarborGuard monitors the Patchstack advisory and all relevant upstream feeds on every ingest cycle, ready to surface a patched-image rebuild the moment a fix version is published. In the interim, compensating controls available through HarborGuard policy configuration include network-policy isolation to restrict inbound traffic to the WordPress service, egress filtering to limit outbound database connections to known-safe endpoints, and flagging affected images as non-compliant to block promotion to production environments. For customers with auto-remediation enabled, once an upstream patch is available, the full rebuild, regression test, and PR flow will trigger automatically, with median time from CVE publication to merged patch PR for Critical-severity issues running around 90 minutes in environments where auto-remediation is active.
- Jobster Marketplace / WPJobster≤ 6.3.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L