Description
The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV upload handler. This is due to missing file type validation. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible.
Published: 2026-05-14
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Career Section plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in all releases up to 1.7. This flaw allows attackers who are not authenticated to upload files that may be executable, directly enabling remote code execution on the host system.

Affected Systems

The vulnerability affects the Career Section plugin developed by shahinurislam. All WordPress installations running version 1.7 or earlier are impacted; newer releases are not listed as affected.

Risk and Exploitability

The CVSS score of 9.8 marks this flaw as critical. The EPSS score is not available, and it is not listed in CISA KEV, indicating no known public exploits yet but the high CVSS suggests high risk. Based on the description, it is inferred that the attack vector is through the CV upload handler exposed to all users on the site, allowing unauthenticated upload of arbitrary files, which attackers can then execute to gain full control of the web server.

Generated by OpenCVE AI on May 14, 2026 at 08:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Career Section plugin to the latest version that includes the missing file type validation fix.
  • If an update is not immediately available, replace the plugin with a reputable alternative or disable the CV upload functionality entirely.
  • Implement server‑side file type checks and restrict upload permissions to prevent execution of arbitrary files.

Generated by OpenCVE AI on May 14, 2026 at 08:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Shahinurislam
Shahinurislam career Section
Wordpress
Wordpress wordpress
Vendors & Products Shahinurislam
Shahinurislam career Section
Wordpress
Wordpress wordpress

Thu, 14 May 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV upload handler. This is due to missing file type validation. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible.
Title Career Section <= 1.7 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Shahinurislam Career Section
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-14T06:44:08.899Z

Reserved: 2026-04-14T11:40:26.648Z

Link: CVE-2026-6271

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-14T07:16:20.650

Modified: 2026-05-14T07:16:20.650

Link: CVE-2026-6271

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T08:30:16Z

Weaknesses