Skip to main content

Career Section

1 CVEs product

Monthly

CVE-2026-6271 CRITICAL Act Now

Unauthenticated arbitrary file upload in the Career Section WordPress plugin (versions through 1.7) enables remote code execution by abusing the CV upload handler, which lacks file type validation. Any attacker who can reach the upload endpoint can drop executable PHP files and gain code execution on the underlying WordPress host. No public exploit identified at time of analysis, but the CVSS 9.8 rating combined with SSVC 'automatable: yes' indicates this is a strong candidate for opportunistic mass exploitation once tooling appears.

File Upload WordPress RCE Career Section
NVD
CVSS 3.1
9.8
EPSS
0.1%
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated arbitrary file upload in the Career Section WordPress plugin (versions through 1.7) enables remote code execution by abusing the CV upload handler, which lacks file type validation. Any attacker who can reach the upload endpoint can drop executable PHP files and gain code execution on the underlying WordPress host. No public exploit identified at time of analysis, but the CVSS 9.8 rating combined with SSVC 'automatable: yes' indicates this is a strong candidate for opportunistic mass exploitation once tooling appears.

File Upload WordPress RCE +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy