Career Section
Monthly
Unauthenticated arbitrary file upload in the Career Section WordPress plugin (versions through 1.7) enables remote code execution by abusing the CV upload handler, which lacks file type validation. Any attacker who can reach the upload endpoint can drop executable PHP files and gain code execution on the underlying WordPress host. No public exploit identified at time of analysis, but the CVSS 9.8 rating combined with SSVC 'automatable: yes' indicates this is a strong candidate for opportunistic mass exploitation once tooling appears.
Unauthenticated arbitrary file upload in the Career Section WordPress plugin (versions through 1.7) enables remote code execution by abusing the CV upload handler, which lacks file type validation. Any attacker who can reach the upload endpoint can drop executable PHP files and gain code execution on the underlying WordPress host. No public exploit identified at time of analysis, but the CVSS 9.8 rating combined with SSVC 'automatable: yes' indicates this is a strong candidate for opportunistic mass exploitation once tooling appears.