Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV upload handler. This is due to missing file type validation. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible.
AnalysisAI
Unauthenticated arbitrary file upload in the Career Section WordPress plugin (versions through 1.7) enables remote code execution by abusing the CV upload handler, which lacks file type validation. Any attacker who can reach the upload endpoint can drop executable PHP files and gain code execution on the underlying WordPress host. No public exploit identified at time of analysis, but the CVSS 9.8 rating combined with SSVC 'automatable: yes' indicates this is a strong candidate for opportunistic mass exploitation once tooling appears.
Technical ContextAI
The Career Section plugin (CPE cpe:2.3:a:shahinurislam:career_section) is a WordPress recruitment plugin that exposes a CV/resume upload feature to anonymous job applicants. The flaw is CWE-434 (Unrestricted Upload of File with Dangerous Type): the CV upload handler accepts user-supplied files without validating MIME type, extension, or content against an allowlist. Because WordPress stores uploads under the publicly reachable wp-content/uploads directory and PHP typically executes any .php file delivered to the webroot, an attacker can upload a PHP web shell and request it directly. Wordfence's threat intelligence record (id 005d1abc-761d-4f9a-bc21-aad63e8efd66) confirms the missing validation as the root cause, and the WordPress plugin trac changesets 3507785, 3507912, and 3507917 in the career-section repository contain the upstream fix.
RemediationAI
Upgrade the Career Section plugin to a version newer than 1.7 that incorporates the upstream fixes published in WordPress.org plugin trac changesets 3507785, 3507912, and 3507917 (https://plugins.trac.wordpress.org/changeset/3507917/career-section); a specific tagged release number was not present in the input data, so site operators should pull the latest version from the WordPress.org plugin directory and confirm the changesets are included. Until the upgrade is applied, deactivate the Career Section plugin entirely (this disables the careers/CV upload feature for applicants), or block unauthenticated POST requests to the plugin's CV upload endpoint at the web server or WAF layer - note this will break legitimate applications. As a hardening measure, configure the webserver to refuse PHP execution inside wp-content/uploads (e.g., an Nginx location block or Apache <Directory> denying .php handlers), which contains impact for this and similar file-upload bugs but may break plugins that legitimately execute PHP from uploads. Consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/005d1abc-761d-4f9a-bc21-aad63e8efd66?source=cve for additional indicators.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30253
GHSA-7fx9-263h-9gmp