Description
The WP Job Portal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.4.0 via the 'downloadCustomUploadedFile' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Published: 2025-12-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Disclosure
Action: Patch
AI Analysis

Impact

A vulnerability in the WP Job Portal WordPress plugin allows an authenticated user with at least subscriber-level access to invoke the 'downloadCustomUploadedFile' function and read any file on the server. The flaw results from unchecked file path handling, enabling the attacker to retrieve sensitive or confidential contents. This directly compromises the confidentiality of server files and can expose private data, configuration files or credentials.

Affected Systems

The flaw affects installations of WP Job Portal – AI‑Powered Recruitment System for Company or Job Board website, versions 2.4.0 and earlier. The plugin is distributed under the WP Job Portal name and is typically installed within a WordPress site.

Risk and Exploitability

The CVSS score of 6.5 categorises this issue as moderate severity, with an EPSS score of less than 1 % indicating a low probability of exploitation at present. It is not listed in the CISA KEV catalog. An attacker must first log in as a user with subscriber or higher role and then send a crafted request to the endpoint; the lack of file‑path validation enables arbitrary file read from the server.

Generated by OpenCVE AI on April 21, 2026 at 17:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Job Portal plugin to version 2.4.1 or later to eliminate the vulnerable file‑read endpoint.
  • If an immediate upgrade is not possible, disable or restrict the 'downloadCustomUploadedFile' action for all users except those who require it, or limit access to a whitelisted set of file paths.
  • Verify that the web server’s file permissions and the subscriber role’s capabilities do not allow reading of sensitive files, and apply the principle of least privilege to all user accounts.

Generated by OpenCVE AI on April 21, 2026 at 17:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Fri, 12 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpjobportal
Wpjobportal wp Job Portal
Vendors & Products Wordpress
Wordpress wordpress
Wpjobportal
Wpjobportal wp Job Portal

Thu, 11 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Dec 2025 20:45:00 +0000

Type Values Removed Values Added
Description The WP Job Portal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.4.0 via the 'downloadCustomUploadedFile' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Title WP Job Portal <= 2.4.0 - Authenticated (Subscriber+) Arbitrary File Read
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpjobportal Wp Job Portal
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:59:34.317Z

Reserved: 2025-12-08T19:46:21.034Z

Link: CVE-2025-14293

cve-icon Vulnrichment

Updated: 2025-12-11T21:16:51.635Z

cve-icon NVD

Status : Deferred

Published: 2025-12-11T21:15:46.730

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14293

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:45:16Z

Weaknesses