WP Job Portal < 2.5.0 – Authenticated (Subscriber+) Arbitrary File Deletion via Resume Custom File Field | CVE 2026-4758 | Plugin Vulnerabilities

Description

The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'WPJOBPORTALcustomfields::removeFileCustom' function in all versions up to, and including, 2.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Affects Plugins

Fixed in 2.5.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/e96f31e0-4b2e-4ea1-a3e5-fd7452a2fea9

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

daroo

Verified

No

WPVDB ID

5be3dad0-ba8f-4fa8-b031-e9df42390ba7

Timeline

Publicly Published

2026-03-25 (about 2 months ago)

Added

2026-03-25 (about 2 months ago)

Last Updated

2026-03-26 (about 2 months ago)

Other

Published

Title

Published

2024-05-17

Title

Salon booking system < 10.0 - Unauthenticated Arbitrary File Deletion

Published

2024-06-13

Title

Folders <= 3.0 and Folders Pro <= 3.0.2 - Directory Traversal via handle_folders_file_upload

Published

2015-03-28

Title

Aspose Importer & Exporter 1.0 - Arbitrary File Download

Published

2025-08-25

Title

Nuss <= 1.3.3 - Unauthenticated Local File Inclusion

Published

2026-04-16

Title

Client Portal (Pro) < 5.6.3 - Authenticated (CP Client+) Arbitrary File Download