Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpjobportal WP Job Portal wp-job-portal allows PHP Local File Inclusion.This issue affects WP Job Portal: from n/a through <= 2.3.1.
Published: 2025-05-23
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Job Portal plugin for WordPress contains an insufficient validation of filenames used in PHP include or require statements, allowing attackers to specify arbitrary local file paths. This Local File Inclusion flaw can be leveraged to read sensitive files on the server or, if a writable executable file is achievable, to execute arbitrary PHP code, resulting in remote code execution. The vulnerability is an instance of CWE‑98, an input control weakness that compromises the integrity and confidentiality of the host environment.

Affected Systems

All releases of the WP Job Portal plugin up to and including version 2.3.1 are affected, regardless of the initial version. The plugin is distributed under the WordPress ecosystem.

Risk and Exploitability

The CVSS score of 8.1 classifies the flaw as high severity. The EPSS score of less than 1% indicates that, as of the latest data, exploitation attempts are uncommon, and the plugin is not listed in CISA’s KEV catalog. The attack vector is most likely via the plugin’s input handling on the web interface, where an attacker can supply a crafted filename to trigger the inclusion. Based on the description, it is inferred that an attacker with access to the plugin’s interface could trigger the flaw and potentially achieve remote code execution or unauthorized file disclosure.

Generated by OpenCVE AI on April 30, 2026 at 19:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Job Portal plugin to the latest version that resolves the LFI issue, or patch the affected code to strictly validate and sanitize any filename parameters before inclusion.
  • If an immediate upgrade is not possible, disable the WP Job Portal plugin until a fix is available to eliminate the vulnerable include path.
  • Configure your web application firewall or server controls to block attempts to supply directory traversal tokens or to include system-level files via the plugin’s input endpoints.

Generated by OpenCVE AI on April 30, 2026 at 19:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28082 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpjobportal WP Job Portal allows PHP Local File Inclusion. This issue affects WP Job Portal: from n/a through 2.3.1.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpjobportal WP Job Portal allows PHP Local File Inclusion. This issue affects WP Job Portal: from n/a through 2.3.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpjobportal WP Job Portal wp-job-portal allows PHP Local File Inclusion.This issue affects WP Job Portal: from n/a through <= 2.3.1.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 24 Jun 2025 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Wpjobportal
Wpjobportal wp Job Portal
CPEs cpe:2.3:a:wpjobportal:wp_job_portal:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpjobportal
Wpjobportal wp Job Portal

Tue, 24 Jun 2025 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wpjobportal:wp_job_portal:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpjobportal
Wpjobportal wp Job Portal

Tue, 24 Jun 2025 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Wpjobportal
Wpjobportal wp Job Portal
CPEs cpe:2.3:a:wpjobportal:wp_job_portal:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpjobportal
Wpjobportal wp Job Portal

Fri, 23 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpjobportal WP Job Portal allows PHP Local File Inclusion. This issue affects WP Job Portal: from n/a through 2.3.1.
Title WordPress WP Job Portal plugin <= 2.3.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wpjobportal Wp Job Portal
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:55.323Z

Reserved: 2025-05-07T09:38:32.076Z

Link: CVE-2025-47438

cve-icon Vulnrichment

Updated: 2025-05-23T14:55:12.681Z

cve-icon NVD

Status : Modified

Published: 2025-05-23T13:15:37.550

Modified: 2026-04-29T10:16:47.477

Link: CVE-2025-47438

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:15:16Z

Weaknesses