Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ahmad WP Job Portal allows Blind SQL Injection.
This issue affects WP Job Portal: from n/a through 2.5.1.
AnalysisAI
Blind SQL injection in the WP Job Portal WordPress plugin (versions up to and including 2.5.1) allows remote unauthenticated attackers to manipulate backend database queries by sending crafted input to vulnerable parameters. The flaw carries a CVSS 9.3 rating due to network-reachable, no-privileges, no-user-interaction exploitation with scope change, and no public exploit code has been identified at time of analysis. The vulnerability was reported through Patchstack's WordPress security program, with no CISA KEV listing.
Technical ContextAI
WP Job Portal is a job board and recruitment plugin for WordPress developed by Ahmad, used to publish job listings, manage applications, and handle candidate/employer accounts on WordPress sites (CPE: cpe:2.3:a:ahmad:wp_job_portal). The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controlled input is concatenated or interpolated into SQL statements without parameterization or proper escaping through WordPress's $wpdb->prepare() facility. The 'blind' qualifier indicates the application does not return query results or verbose database errors directly, so exploitation typically relies on boolean-based or time-based inference techniques to extract data byte by byte.
RemediationAI
No vendor-released patch identified at time of analysis - the Patchstack advisory documents the issue against the 2.5.1 version with no fixed version cited in the provided data, so administrators should monitor the WP Job Portal plugin page on WordPress.org and the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-plugin-2-5-1-sql-injection-vulnerability) for an updated release beyond 2.5.1 and upgrade as soon as it ships. Until a patched build is available, deactivate the WP Job Portal plugin on production sites that do not actively serve a job board (this removes all plugin endpoints), or place the site behind a WAF / Patchstack mitigation rule that blocks SQL meta-characters and time-based payloads (UNION, SLEEP, BENCHMARK, --, etc.) on the plugin's front-end and admin-ajax endpoints - note that aggressive WAF rules can break legitimate searches containing apostrophes or quotes in job titles. Restricting access to the plugin's URLs to authenticated users via web-server rules is another option but only if the affected endpoints are not required for public job seekers, since this would break the public job board functionality.
More in Wp Job Portal
View allThe WP Job Portal WordPress plugin before 2.0.6 does not sanitise and escape a parameter before using it in a SQL statem
The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to
The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to
Missing authorization in WP Job Portal WordPress plugin before 2.5.5 allows any self-registered subscriber to approve, f
The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email fo
The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to
Reflected cross-site scripting in the WP Job Portal WordPress plugin (versions up to and including 2.5.1) allows remote
Stored Cross-Site Scripting in WP Job Portal WordPress plugin versions up to and including 2.5.2 allows authenticated Su
Missing Authorization vulnerability in WP Job Portal WP Job Portal - A Complete Job Board.0.1. Rated medium severity (CV
The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to
The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to
The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33909
GHSA-6m39-555m-v725