Threat actors are targeting a critical vulnerability in the JobMonster WordPress theme that allows hijacking of administrator accounts under certain conditions.

The malicious activity was detected by Wordfence, a WordPress security firm, after blocking multiple exploit attempts against its clients over the past 24 hours.

JobMonster, created by NooThemes, is a premium WordPress theme used by job listing sites, recruitment/hiring portals, candidate search tools, etc. The theme has over 5,500 sales on Envato.

The exploited vulnerability is identified as CVE-2025-5397 and has a critical-severity score of 9.8. It is an authentication bypass problem that imapcts all versions of the theme up to 4.8.1.

“[The flaw] is due to the check_login() function not properly verifying a user's identity prior to successfully authenticating them,” reads the flaw’s description.

“This makes it possible for unauthenticated attackers to bypass standard authentication and access administrative user accounts.”

To exploit CVE-2025-5397, social login needs to be enabled on sites using the theme; otherwise, there’s no impact.

Social login is a feature that enables users to sign in to a website using their existing social media accounts, such as “Sign in with Google,” “Login with Facebook,” and “Continue with LinkedIn.”

JobMonster trusts the external login data without verifying it properly, allowing attackers to fake admin access without holding valid credentials.

Typically, an attacker would also need to know the target administrator’s account username or email.

CVE-2025-5397 has been fixed in JobMonster version 4.8.2, currently the most recent, so users are advised to move to the patched release immediately.

If urgent action is impossible, consider the mitigation of disabling the social login function on affected websites.

It is also advisable to enable two-factor authentication for all administrator accounts, rotate credentials, and check access logs for suspicious activity.

WordPress themes have been at the epicenter of malicious activity in recent months.

Last week, Wordfence reported about malicious activity targeting the Freeio premium theme leveraging CVE-2025-11533, a critical privilege escalation flaw.

In early October, threat actors targeted CVE-2025-5947, a critical authentication bypass problem in the Service Finder WordPress theme, allowing them to log in as administrators.

In July 2025, it was reported that hackers targeted the WordPress theme 'Alone' to achieve remote code execution and perform a full site takeover, with Wordfence blocking over 120,000 attempts at the time.

WordPress plugins and themes must be updated regularly to ensure the latest security fixes are active on the sites. Patch delaying gives threat actors opportunities for successful attacks, sometimes a full year later.