Skip to main content

WP Job Portal EUVDEUVD-2026-33909

| CVE-2026-42684 CRITICAL
SQL Injection (CWE-89)
2026-06-02 Patchstack GHSA-6m39-555m-v725
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 02, 2026 - 11:50 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ahmad WP Job Portal allows Blind SQL Injection.

This issue affects WP Job Portal: from n/a through 2.5.1.

AnalysisAI

Blind SQL injection in the WP Job Portal WordPress plugin (versions up to and including 2.5.1) allows remote unauthenticated attackers to manipulate backend database queries by sending crafted input to vulnerable parameters. The flaw carries a CVSS 9.3 rating due to network-reachable, no-privileges, no-user-interaction exploitation with scope change, and no public exploit code has been identified at time of analysis. The vulnerability was reported through Patchstack's WordPress security program, with no CISA KEV listing.

Technical ContextAI

WP Job Portal is a job board and recruitment plugin for WordPress developed by Ahmad, used to publish job listings, manage applications, and handle candidate/employer accounts on WordPress sites (CPE: cpe:2.3:a:ahmad:wp_job_portal). The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controlled input is concatenated or interpolated into SQL statements without parameterization or proper escaping through WordPress's $wpdb->prepare() facility. The 'blind' qualifier indicates the application does not return query results or verbose database errors directly, so exploitation typically relies on boolean-based or time-based inference techniques to extract data byte by byte.

RemediationAI

No vendor-released patch identified at time of analysis - the Patchstack advisory documents the issue against the 2.5.1 version with no fixed version cited in the provided data, so administrators should monitor the WP Job Portal plugin page on WordPress.org and the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-plugin-2-5-1-sql-injection-vulnerability) for an updated release beyond 2.5.1 and upgrade as soon as it ships. Until a patched build is available, deactivate the WP Job Portal plugin on production sites that do not actively serve a job board (this removes all plugin endpoints), or place the site behind a WAF / Patchstack mitigation rule that blocks SQL meta-characters and time-based payloads (UNION, SLEEP, BENCHMARK, --, etc.) on the plugin's front-end and admin-ajax endpoints - note that aggressive WAF rules can break legitimate searches containing apostrophes or quotes in job titles. Restricting access to the plugin's URLs to authenticated users via web-server rules is another option but only if the affected endpoints are not required for public job seekers, since this would break the public job board functionality.

CVE-2023-4490 CRITICAL POC
9.8 Sep 25

The WP Job Portal WordPress plugin before 2.0.6 does not sanitise and escape a parameter before using it in a SQL statem

CVE-2024-11715 CRITICAL
9.8 Dec 14

The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to

CVE-2024-7950 CRITICAL
9.8 Sep 04

The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to

CVE-2026-12396 MEDIUM POC
5.4 Jul 13

Missing authorization in WP Job Portal WordPress plugin before 2.5.5 allows any self-registered subscriber to approve, f

CVE-2026-12397 MEDIUM POC
4.3 Jul 13

The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email fo

CVE-2024-11711 HIGH
7.5 Dec 14

The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to

CVE-2026-42685 HIGH
7.1 Jun 02

Reflected cross-site scripting in the WP Job Portal WordPress plugin (versions up to and including 2.5.1) allows remote

CVE-2026-48880 MEDIUM
6.5 Jun 15

Stored Cross-Site Scripting in WP Job Portal WordPress plugin versions up to and including 2.5.2 allows authenticated Su

CVE-2022-41786 MEDIUM
5.4 Jan 17

Missing Authorization vulnerability in WP Job Portal WP Job Portal - A Complete Job Board.0.1. Rated medium severity (CV

CVE-2024-11712 MEDIUM
5.3 Dec 14

The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to

CVE-2024-11714 MEDIUM
4.9 Dec 14

The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to

CVE-2024-11713 MEDIUM
4.9 Dec 14

The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to

Share

EUVD-2026-33909 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy