Skip to main content

Career Section Plugin CVE-2026-6271

| EUVDEUVD-2026-30253 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-05-14 Wordfence GHSA-7fx9-263h-9gmp
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 08:24 vuln.today
CVE Published
May 14, 2026 - 06:44 nvd
CRITICAL 9.8

DescriptionCVE.org

The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV upload handler. This is due to missing file type validation. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible.

AnalysisAI

Unauthenticated arbitrary file upload in the Career Section WordPress plugin (versions through 1.7) enables remote code execution by abusing the CV upload handler, which lacks file type validation. Any attacker who can reach the upload endpoint can drop executable PHP files and gain code execution on the underlying WordPress host. No public exploit identified at time of analysis, but the CVSS 9.8 rating combined with SSVC 'automatable: yes' indicates this is a strong candidate for opportunistic mass exploitation once tooling appears.

Technical ContextAI

The Career Section plugin (CPE cpe:2.3:a:shahinurislam:career_section) is a WordPress recruitment plugin that exposes a CV/resume upload feature to anonymous job applicants. The flaw is CWE-434 (Unrestricted Upload of File with Dangerous Type): the CV upload handler accepts user-supplied files without validating MIME type, extension, or content against an allowlist. Because WordPress stores uploads under the publicly reachable wp-content/uploads directory and PHP typically executes any .php file delivered to the webroot, an attacker can upload a PHP web shell and request it directly. Wordfence's threat intelligence record (id 005d1abc-761d-4f9a-bc21-aad63e8efd66) confirms the missing validation as the root cause, and the WordPress plugin trac changesets 3507785, 3507912, and 3507917 in the career-section repository contain the upstream fix.

RemediationAI

Upgrade the Career Section plugin to a version newer than 1.7 that incorporates the upstream fixes published in WordPress.org plugin trac changesets 3507785, 3507912, and 3507917 (https://plugins.trac.wordpress.org/changeset/3507917/career-section); a specific tagged release number was not present in the input data, so site operators should pull the latest version from the WordPress.org plugin directory and confirm the changesets are included. Until the upgrade is applied, deactivate the Career Section plugin entirely (this disables the careers/CV upload feature for applicants), or block unauthenticated POST requests to the plugin's CV upload endpoint at the web server or WAF layer - note this will break legitimate applications. As a hardening measure, configure the webserver to refuse PHP execution inside wp-content/uploads (e.g., an Nginx location block or Apache <Directory> denying .php handlers), which contains impact for this and similar file-upload bugs but may break plugins that legitimately execute PHP from uploads. Consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/005d1abc-761d-4f9a-bc21-aad63e8efd66?source=cve for additional indicators.

Share

CVE-2026-6271 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy