Description
The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'WPJOBPORTALcustomfields::removeFileCustom' function in all versions up to, and including, 2.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2026-03-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file deletion potentially enabling remote code execution
Action: Immediate Patch
AI Analysis

Impact

The WP Job Portal plugin allows authenticated users with Subscriber level or higher to call the removeFileCustom method. Because the method does not validate the file path, an attacker can specify any server path and delete files. Removing critical files such as wp-config.php can compromise the entire WordPress installation, allowing code execution, defacement, or data loss.

Affected Systems

Environments running WordPress with the WP Job Portal plugin on any version up to and including 2.4.9 are affected. The vulnerability is exploitable by any role that the plugin grants through the subscriber role, which is common for users who apply for jobs or post resumes. Versions 2.5.0 and later have the issue fixed.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, classifying it as high severity. No EPSS value is available, and the flaw is not listed in CISA's KEV catalog. Attackers need valid subscriber credentials, but once authenticated, the path validation weakness permits deletion of arbitrary files, which can lead directly to remote code execution or denial of service. The attack vector is inferred to be local via legitimate user access, but the outcome can have system–wide impact so it must be treated with urgency.

Generated by OpenCVE AI on March 26, 2026 at 00:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Job Portal plugin to version 2.5.0 or newer.
  • If the plugin cannot be updated immediately, restrict subscriber access to the file deletion functionality or disable the custom file field feature through the plugin settings.
  • Backup critical files, especially wp-config.php, before making any changes.
  • Monitor server logs for any unexpected file deletions to detect potential exploitation.
  • Apply general WordPress hardening measures such as principle of least privilege and secure file permissions.

Generated by OpenCVE AI on March 26, 2026 at 00:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpjobportal
Wpjobportal wp Job Portal – Ai-powered Recruitment System For Company Or Job Board Website
Vendors & Products Wordpress
Wordpress wordpress
Wpjobportal
Wpjobportal wp Job Portal – Ai-powered Recruitment System For Company Or Job Board Website

Wed, 25 Mar 2026 23:45:00 +0000

Type Values Removed Values Added
Description The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'WPJOBPORTALcustomfields::removeFileCustom' function in all versions up to, and including, 2.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title WP Job Portal <= 2.4.9 - Authenticated (Subscriber+) Arbitrary File Deletion via Resume Custom File Field
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Wpjobportal Wp Job Portal – Ai-powered Recruitment System For Company Or Job Board Website
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:46.880Z

Reserved: 2026-03-24T08:42:06.937Z

Link: CVE-2026-4758

cve-icon Vulnrichment

Updated: 2026-03-26T17:49:01.901Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T00:16:41.570

Modified: 2026-03-30T13:26:50.827

Link: CVE-2026-4758

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:09:14Z

Weaknesses