EUVD-2026-16052CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'WPJOBPORTALcustomfields::removeFileCustom' function in all versions up to, and including, 2.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Analysis
Authenticated attackers with Subscriber-level access can delete arbitrary files on WordPress servers running WP Job Portal plugin versions up to 2.4.9, enabling remote code execution by removing critical files like wp-config.php. The vulnerability stems from insufficient file path validation in the removeFileCustom function. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit active subscribers on all WordPress instances running WP Job Portal and document their business justification; disable the plugin on all affected installations pending patch availability or implement network-level restrictions. Within 7 days: Restrict subscriber role access to WordPress environments where possible; implement audit logging for file deletion events in WordPress core and plugin directories. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today