Platform
wordpress
Component
wp-job-portal
Fixed in
2.5.0
CVE-2026-4758 is a Remote Code Execution (RCE) vulnerability affecting the WP Job Portal plugin for WordPress. This vulnerability allows authenticated attackers with Subscriber-level access or higher to delete arbitrary files on the server due to insufficient file path validation. Successful exploitation can lead to remote code execution, especially if critical files like 'wp-config.php' are deleted. The vulnerability affects all versions up to and including 2.4.9, and it has been fixed in version 2.5.0.
The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the WPJOBPORTALcustomfields::removeFileCustom function. Identified as CVE-2026-4758, this flaw allows authenticated attackers, with Subscriber-level access or higher, to delete arbitrary files on the server. This can easily lead to remote code execution (RCE) if critical files, such as wp-config.php, are deleted. The vulnerability affects all versions up to and including 2.4.9, making immediate action crucial to mitigate the risk. The potential for complete website compromise is significant, highlighting the severity of this issue.
An attacker with Subscriber or higher access can exploit this vulnerability by crafting malicious requests to manipulate the WPJOBPORTALcustomfields::removeFileCustom function and specify arbitrary file paths for deletion. The lack of proper path validation allows the attacker to bypass security protections and delete critical files. Deleting wp-config.php is particularly dangerous as it contains sensitive database credentials, potentially granting the attacker full access to the website and enabling remote code execution. The relative ease of exploitation combined with the high potential impact makes this a serious security concern.
Exploit Status
EPSS
0.28% (51% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4758 is to update the WP Job Portal plugin to version 2.5.0 or later. This version includes a fix for the file path validation issue, preventing unauthorized file deletion. As an interim measure, restrict permissions for users with Subscriber roles or higher to limit their ability to perform sensitive actions. Regularly monitoring server logs for suspicious activity can also help detect and respond to potential exploitation attempts. Updating the plugin is the most effective and recommended solution to address this vulnerability.
Update to version 2.5.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
It's a security vulnerability in the WP Job Portal plugin that allows for arbitrary file deletion.
All versions up to and including 2.4.9 are vulnerable to this vulnerability.
Update the WP Job Portal plugin to version 2.5.0 or later.
Restrict permissions for users with Subscriber roles or higher and monitor server logs.
If you suspect your website has been compromised, perform a thorough security audit and consider restoring from a clean backup.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.