Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
8 vulnerabilities found for WP Job Portal – AI-Powered Recruitment System for Company or Job Board website by wpjobportal
CVE-2026-4758 (GCVE-0-2026-4758)
Vulnerability from nvd – Published: 2026-03-25 23:26 – Updated: 2026-03-26 17:51
VLAI?
Title
WP Job Portal <= 2.4.9 - Authenticated (Subscriber+) Arbitrary File Deletion via Resume Custom File Field
Summary
The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'WPJOBPORTALcustomfields::removeFileCustom' function in all versions up to, and including, 2.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Severity ?
8.8 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – AI-Powered Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.4.9
(semver)
|
Credits
daroo
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4758",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T17:36:58.561742Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T17:51:16.635Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 AI-Powered Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.4.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "daroo"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the \u0027WPJOBPORTALcustomfields::removeFileCustom\u0027 function in all versions up to, and including, 2.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T23:26:02.312Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e96f31e0-4b2e-4ea1-a3e5-fd7452a2fea9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.4.9/includes/classes/customfields.php#L1558"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.5.0/includes/classes/customfields.php?rev=3490490#L1558"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-24T08:57:49.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-25T10:39:46.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.4.9 - Authenticated (Subscriber+) Arbitrary File Deletion via Resume Custom File Field"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4758",
"datePublished": "2026-03-25T23:26:02.312Z",
"dateReserved": "2026-03-24T08:42:06.937Z",
"dateUpdated": "2026-03-26T17:51:16.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4306 (GCVE-0-2026-4306)
Vulnerability from nvd – Published: 2026-03-23 22:25 – Updated: 2026-03-24 15:13
VLAI?
Title
WP Job Portal <= 2.4.8 - Unauthenticated SQL Injection via 'radius' Parameter
Summary
The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the 'radius' parameter in all versions up to, and including, 2.4.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
7.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – AI-Powered Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.4.8
(semver)
|
Credits
Leonid Semenenko
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4306",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T14:16:19.039564Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T15:13:00.978Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 AI-Powered Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.4.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Leonid Semenenko"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the \u0027radius\u0027 parameter in all versions up to, and including, 2.4.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T22:25:40.158Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ecc34552-c9b0-455f-b1c7-b31cc847cb22?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.4.7/modules/job/model.php#L2743"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.4.7/includes/ajax.php#L10"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/wp-job-portal/tags/2.4.8\u0026new_path=/wp-job-portal/tags/2.4.9"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-16T21:12:24.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-23T10:12:47.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.4.8 - Unauthenticated SQL Injection via \u0027radius\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4306",
"datePublished": "2026-03-23T22:25:40.158Z",
"dateReserved": "2026-03-16T20:57:12.096Z",
"dateUpdated": "2026-03-24T15:13:00.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14467 (GCVE-0-2025-14467)
Vulnerability from nvd – Published: 2025-12-12 03:20 – Updated: 2025-12-15 18:17
VLAI?
Title
WP Job Portal <= 2.3.9 - Authenticated (Editor+) Stored Cross-Site Scripting via Job Description Field
Summary
The WP Job Portal plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.3.9. This is due to the plugin explicitly whitelisting the `<script>` tag in its `WPJOBPORTAL_ALLOWED_TAGS` configuration and using insufficient input sanitization when saving job descriptions. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts into job description fields via the job creation/editing interface. These scripts will execute whenever a user accesses an injected page, enabling session hijacking, credential theft, and other malicious activities.This only impacts multi-site installations, or those with unfiltered_html disabled.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – AI-Powered Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.3.9
(semver)
|
Credits
Long Nguyen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14467",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-15T18:08:38.949270Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T18:17:14.870Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 AI-Powered Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.3.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Long Nguyen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.3.9. This is due to the plugin explicitly whitelisting the `\u003cscript\u003e` tag in its `WPJOBPORTAL_ALLOWED_TAGS` configuration and using insufficient input sanitization when saving job descriptions. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts into job description fields via the job creation/editing interface. These scripts will execute whenever a user accesses an injected page, enabling session hijacking, credential theft, and other malicious activities.This only impacts multi-site installations, or those with unfiltered_html disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T03:20:39.179Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c347b9f-d297-4cb5-9c4a-1001d845ed5a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.3.9/includes/constants.php#L351"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/trunk/includes/constants.php#L351"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/trunk/modules/job/model.php#L1278"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.3.9/modules/job/model.php#L1278"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/trunk/modules/job/tmpl/views/frontend/title.php#L231"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.3.9/modules/job/tmpl/views/frontend/title.php#L231"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-11T15:05:46.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.3.9 - Authenticated (Editor+) Stored Cross-Site Scripting via Job Description Field"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14467",
"datePublished": "2025-12-12T03:20:39.179Z",
"dateReserved": "2025-12-10T16:11:47.862Z",
"dateUpdated": "2025-12-15T18:17:14.870Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14293 (GCVE-0-2025-14293)
Vulnerability from nvd – Published: 2025-12-11 20:22 – Updated: 2025-12-11 21:18
VLAI?
Title
WP Job Portal <= 2.4.0 - Authenticated (Subscriber+) Arbitrary File Read
Summary
The WP Job Portal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.4.0 via the 'downloadCustomUploadedFile' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Severity ?
6.5 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – AI-Powered Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.4.0
(semver)
|
Credits
Long Nguyen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14293",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-11T21:05:00.571565Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T21:18:15.841Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 AI-Powered Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.4.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Long Nguyen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.4.0 via the \u0027downloadCustomUploadedFile\u0027 function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T20:22:09.209Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6dfcd264-39e3-44af-8e0e-5c35734524d0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.3.9/modules/customfield/model.php#L908"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-11T06:34:28.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.4.0 - Authenticated (Subscriber+) Arbitrary File Read"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14293",
"datePublished": "2025-12-11T20:22:09.209Z",
"dateReserved": "2025-12-08T19:46:21.034Z",
"dateUpdated": "2025-12-11T21:18:15.841Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4758 (GCVE-0-2026-4758)
Vulnerability from cvelistv5 – Published: 2026-03-25 23:26 – Updated: 2026-03-26 17:51
VLAI?
Title
WP Job Portal <= 2.4.9 - Authenticated (Subscriber+) Arbitrary File Deletion via Resume Custom File Field
Summary
The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'WPJOBPORTALcustomfields::removeFileCustom' function in all versions up to, and including, 2.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Severity ?
8.8 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – AI-Powered Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.4.9
(semver)
|
Credits
daroo
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4758",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T17:36:58.561742Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T17:51:16.635Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 AI-Powered Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.4.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "daroo"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the \u0027WPJOBPORTALcustomfields::removeFileCustom\u0027 function in all versions up to, and including, 2.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T23:26:02.312Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e96f31e0-4b2e-4ea1-a3e5-fd7452a2fea9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.4.9/includes/classes/customfields.php#L1558"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.5.0/includes/classes/customfields.php?rev=3490490#L1558"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-24T08:57:49.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-25T10:39:46.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.4.9 - Authenticated (Subscriber+) Arbitrary File Deletion via Resume Custom File Field"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4758",
"datePublished": "2026-03-25T23:26:02.312Z",
"dateReserved": "2026-03-24T08:42:06.937Z",
"dateUpdated": "2026-03-26T17:51:16.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4306 (GCVE-0-2026-4306)
Vulnerability from cvelistv5 – Published: 2026-03-23 22:25 – Updated: 2026-03-24 15:13
VLAI?
Title
WP Job Portal <= 2.4.8 - Unauthenticated SQL Injection via 'radius' Parameter
Summary
The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the 'radius' parameter in all versions up to, and including, 2.4.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
7.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – AI-Powered Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.4.8
(semver)
|
Credits
Leonid Semenenko
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4306",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T14:16:19.039564Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T15:13:00.978Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 AI-Powered Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.4.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Leonid Semenenko"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the \u0027radius\u0027 parameter in all versions up to, and including, 2.4.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T22:25:40.158Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ecc34552-c9b0-455f-b1c7-b31cc847cb22?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.4.7/modules/job/model.php#L2743"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.4.7/includes/ajax.php#L10"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/wp-job-portal/tags/2.4.8\u0026new_path=/wp-job-portal/tags/2.4.9"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-16T21:12:24.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-23T10:12:47.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.4.8 - Unauthenticated SQL Injection via \u0027radius\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4306",
"datePublished": "2026-03-23T22:25:40.158Z",
"dateReserved": "2026-03-16T20:57:12.096Z",
"dateUpdated": "2026-03-24T15:13:00.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14467 (GCVE-0-2025-14467)
Vulnerability from cvelistv5 – Published: 2025-12-12 03:20 – Updated: 2025-12-15 18:17
VLAI?
Title
WP Job Portal <= 2.3.9 - Authenticated (Editor+) Stored Cross-Site Scripting via Job Description Field
Summary
The WP Job Portal plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.3.9. This is due to the plugin explicitly whitelisting the `<script>` tag in its `WPJOBPORTAL_ALLOWED_TAGS` configuration and using insufficient input sanitization when saving job descriptions. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts into job description fields via the job creation/editing interface. These scripts will execute whenever a user accesses an injected page, enabling session hijacking, credential theft, and other malicious activities.This only impacts multi-site installations, or those with unfiltered_html disabled.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – AI-Powered Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.3.9
(semver)
|
Credits
Long Nguyen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14467",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-15T18:08:38.949270Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T18:17:14.870Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 AI-Powered Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.3.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Long Nguyen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.3.9. This is due to the plugin explicitly whitelisting the `\u003cscript\u003e` tag in its `WPJOBPORTAL_ALLOWED_TAGS` configuration and using insufficient input sanitization when saving job descriptions. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts into job description fields via the job creation/editing interface. These scripts will execute whenever a user accesses an injected page, enabling session hijacking, credential theft, and other malicious activities.This only impacts multi-site installations, or those with unfiltered_html disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T03:20:39.179Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c347b9f-d297-4cb5-9c4a-1001d845ed5a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.3.9/includes/constants.php#L351"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/trunk/includes/constants.php#L351"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/trunk/modules/job/model.php#L1278"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.3.9/modules/job/model.php#L1278"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/trunk/modules/job/tmpl/views/frontend/title.php#L231"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.3.9/modules/job/tmpl/views/frontend/title.php#L231"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-11T15:05:46.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.3.9 - Authenticated (Editor+) Stored Cross-Site Scripting via Job Description Field"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14467",
"datePublished": "2025-12-12T03:20:39.179Z",
"dateReserved": "2025-12-10T16:11:47.862Z",
"dateUpdated": "2025-12-15T18:17:14.870Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14293 (GCVE-0-2025-14293)
Vulnerability from cvelistv5 – Published: 2025-12-11 20:22 – Updated: 2025-12-11 21:18
VLAI?
Title
WP Job Portal <= 2.4.0 - Authenticated (Subscriber+) Arbitrary File Read
Summary
The WP Job Portal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.4.0 via the 'downloadCustomUploadedFile' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Severity ?
6.5 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpjobportal | WP Job Portal – AI-Powered Recruitment System for Company or Job Board website |
Affected:
* , ≤ 2.4.0
(semver)
|
Credits
Long Nguyen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14293",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-11T21:05:00.571565Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T21:18:15.841Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Portal \u2013 AI-Powered Recruitment System for Company or Job Board website",
"vendor": "wpjobportal",
"versions": [
{
"lessThanOrEqual": "2.4.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Long Nguyen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Job Portal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.4.0 via the \u0027downloadCustomUploadedFile\u0027 function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T20:22:09.209Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6dfcd264-39e3-44af-8e0e-5c35734524d0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.3.9/modules/customfield/model.php#L908"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-11T06:34:28.000Z",
"value": "Disclosed"
}
],
"title": "WP Job Portal \u003c= 2.4.0 - Authenticated (Subscriber+) Arbitrary File Read"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14293",
"datePublished": "2025-12-11T20:22:09.209Z",
"dateReserved": "2025-12-08T19:46:21.034Z",
"dateUpdated": "2025-12-11T21:18:15.841Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}