Skip to main content

WP Job Portal CVE-2026-57653

| EUVDEUVD-2026-39768 HIGH
SQL Injection (CWE-89)
2026-06-26 audit@patchstack.com GHSA-2wmh-hj9f-qxhx
8.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
8.5 HIGH

Contributor authentication required (PR:L), remote low-complexity SQLi reading DB beyond plugin scope (S:C, C:H), no integrity and only limited availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:47 vuln.today

DescriptionCVE.org

Contributor SQL Injection in WP Job Portal <= 2.5.2 versions.

AnalysisAI

SQL injection in the WP Job Portal WordPress plugin (versions 2.5.2 and earlier) lets a low-privileged Contributor-level user inject arbitrary SQL into a backend query, exposing the WordPress database. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H) reflects high confidentiality impact with a scope change, and the issue was reported by Patchstack. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Contributor account on target
Exploit
Send crafted request to plugin parameter
Execution
Inject SQL into backend query
Impact
Exfiltrate database contents (user data/hashes)

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account with at least Contributor role on a site running WP Job Portal version 2.5.2 or earlier (PR:L in the CVSS vector confirms a low-privilege authenticated requirement). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed-to-moderate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a Contributor account on a site running WP Job Portal <= 2.5.2, then submits a crafted request to a vulnerable plugin parameter that embeds SQL syntax. The injected query executes against the WordPress database, allowing extraction of sensitive data such as user records and password hashes. …
Remediation No vendor-released patch version was identified in the provided data; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-plugin-2-5-2-sql-injection-vulnerability?_s_id=cve) for the fixed release and upgrade to any version above 2.5.2 once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations to identify sites running WP Job Portal version 2.5.2 or earlier; document the count and criticality of affected instances. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57653 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy