Description
Path Traversal: '.../...//' vulnerability in wpjobportal WP Job Portal wp-job-portal allows PHP Local File Inclusion.This issue affects WP Job Portal: from n/a through <= 2.2.8.
Published: 2025-02-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Job Portal plugin for WordPress contains a Path Traversal flaw that allows attackers to craft URLs ending with sequences like '../..//', leading the PHP runtime to include local files. This Local File Inclusion can enable reading sensitive configuration or web server files and, if the included files contain PHP code, arbitrary code execution on the server. The weakness is identified as CWE-22 and CWE-35.

Affected Systems

Affected systems are installations of the wpjobportal WP Job Portal plugin version 2.2.8 and earlier, which is commonly used on WordPress sites to manage job listings. The vulnerability exists prior to the release of version 2.2.9, so any site still running 2.2.8 or older is vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity that could lead to remote code execution if the attacker can supply a code file. The EPSS score of less than 1% shows that currently the likelihood of exploitation is low, and the vulnerability is not yet listed in the CISA KEV catalog. However, if an attacker can gather the correct traversal payload and the server allows PHP execution of arbitrary local files, the impact could be significant. The attack vector is likely a remote HTTP request to the vulnerable plugin endpoint.

Generated by OpenCVE AI on May 1, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Job Portal plugin to version 2.2.9 or later, which removes the vulnerable include logic.
  • Apply WordPress core updates and keep the plugin and theme revisions current to reduce attack surface.
  • Add .htaccess rules or configure the web server to block URLs containing '..' sequences and enforce directory access restrictions.
  • Verify that PHP's include_path setting does not allow traversal to sensitive directories; restrict it to safe directories.

Generated by OpenCVE AI on May 1, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5435 Path Traversal vulnerability in wpjobportal WP Job Portal allows PHP Local File Inclusion. This issue affects WP Job Portal: from n/a through 2.2.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Path Traversal vulnerability in wpjobportal WP Job Portal allows PHP Local File Inclusion. This issue affects WP Job Portal: from n/a through 2.2.8. Path Traversal: '.../...//' vulnerability in wpjobportal WP Job Portal wp-job-portal allows PHP Local File Inclusion.This issue affects WP Job Portal: from n/a through <= 2.2.8.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 25 Mar 2025 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Wpjobportal
Wpjobportal wp Job Portal
Weaknesses CWE-22
CPEs cpe:2.3:a:wpjobportal:wp_job_portal:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpjobportal
Wpjobportal wp Job Portal

Tue, 25 Feb 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 25 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Path Traversal vulnerability in wpjobportal WP Job Portal allows PHP Local File Inclusion. This issue affects WP Job Portal: from n/a through 2.2.8.
Title WordPress WP Job Portal plugin <= 2.2.8 - Local File Inclusion vulnerability
Weaknesses CWE-35
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wpjobportal Wp Job Portal
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:44.300Z

Reserved: 2025-02-17T11:51:10.110Z

Link: CVE-2025-26935

cve-icon Vulnrichment

Updated: 2025-02-25T15:09:22.157Z

cve-icon NVD

Status : Modified

Published: 2025-02-25T15:15:27.470

Modified: 2026-04-23T15:26:06.177

Link: CVE-2025-26935

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T15:30:20Z

Weaknesses