Description
The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the 'radius' parameter in all versions up to, and including, 2.4.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-03-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection leading to unauthorized data exfiltration
Action: Immediate Patch
AI Analysis

Impact

The WP Job Portal plugin for WordPress contains a parameter‑level SQL injection flaw in the 'radius' variable. Because the value is used directly in a database query without proper escaping or prepared statements, an attacker can inject arbitrary SQL commands. This allows unauthenticated users to retrieve sensitive data from the database, compromising confidentiality. The vulnerability is classified as CWE‑89 and scores a CVSS of 7.5, indicating a high severity. No evidence that it is currently listed in CISA’s KEV catalog, but the lack of authentication checks makes exploitation straightforward.

Affected Systems

The flaw affects all installations of the WP Job Portal plugin with version numbers 2.4.8 or earlier. The plugin is a WordPress add‑on that powers recruitment sites. Any WordPress site that has the plugin version 2.4.8 or older is at risk, regardless of the WordPress core version.

Risk and Exploitability

The CVSS score of 7.5 signifies a serious threat, and while EPSS data is unavailable, the unauthenticated nature of the flaw means an attacker can construct a malicious HTTP request containing a crafted 'radius' parameter and cause the database server to execute unintended statements. If exploited, the attacker could read or dump the entire database. The vulnerability is not currently known to be exploited in the wild, but its high severity and ease of exploitation warrant urgent attention.

Generated by OpenCVE AI on March 24, 2026 at 03:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of WP Job Portal, at least 2.4.9, which removes the unsafe 'radius' handling.
  • If an update cannot be performed immediately, disable or uninstall the WP Job Portal plugin until a patch is applied.
  • As a temporary defensive measure, validate or sanitize the 'radius' parameter on the server side so that only numeric values are accepted, or use parameterized queries if possible.
  • Continue to monitor your WordPress logs for anomalous SQL queries or failed database access attempts, and keep all plugins and core WordPress installations up to date.

Generated by OpenCVE AI on March 24, 2026 at 03:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpjobportal
Wpjobportal wp Job Portal – Ai-powered Recruitment System For Company Or Job Board Website
Vendors & Products Wordpress
Wordpress wordpress
Wpjobportal
Wpjobportal wp Job Portal – Ai-powered Recruitment System For Company Or Job Board Website

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the 'radius' parameter in all versions up to, and including, 2.4.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title WP Job Portal <= 2.4.8 - Unauthenticated SQL Injection via 'radius' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpjobportal Wp Job Portal – Ai-powered Recruitment System For Company Or Job Board Website
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:31:26.081Z

Reserved: 2026-03-16T20:57:12.096Z

Link: CVE-2026-4306

cve-icon Vulnrichment

Updated: 2026-03-24T14:16:24.755Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-23T23:17:13.403

Modified: 2026-03-24T15:53:48.067

Link: CVE-2026-4306

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:13Z

Weaknesses