WP Job Portal
Moderate fix1 remedy
cpe:2.3:a:wpjobportal:wp_job_portal:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 2.4.9
WP Job Portal Plugin Arbitrary File Deletion Vulnerability
Vulnerability
Patched
A vulnerability allowing authenticated users with Subscriber-level access and above to delete arbitrary files on the server has been identified in the WP Job Portal plugin for WordPress, in versions through 2.4.9. This issue arises from inadequate validation of file paths in the 'WPJOBPORTALcustomfields::removeFileCustom' function. Exploiting this vulnerability could lead to remote code execution, particularly if a critical file like wp-config.php is deleted.
Impact
Successful exploitation allows for arbitrary file deletion, which can lead to remote code execution if a sensitive file is removed.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can use the resume custom file field to upload a file. After the file is uploaded, the same field can be used to delete the file. The 'removeFileCustom' function will be called, which lacks proper file path validation, allowing for arbitrary file deletion on the server.
Remediation
Users are advised to update the WP Job Portal plugin to version 2.5.0 or later, where this vulnerability has been patched.
Added: Mar 26, 2026, 12:20 AM
Updated: Mar 26, 2026, 12:20 AM
Vulnerability Rating
Custom Algorithm
spread
1.6impact
2.7exploitability
6.4remediation
7.7relevance
4.7threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.