Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
WP Job Portal Plugin Deletes Any File on WordPress Site
CVE-2026-4758
Summary
The WP Job Portal plugin for WordPress allows an attacker with a low-level account to delete any file on the site, potentially leading to serious data loss or security breaches. This issue affects all versions of the plugin up to 2.4.9. To protect your site, update the plugin to a fixed version or remove it if you don't use it.
Original title
The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'WPJOBPORTALcustomfields::removeFileCustom' function in all versions ...
Original description
The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'WPJOBPORTALcustomfields::removeFileCustom' function in all versions up to, and including, 2.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
nvd CVSS3.1
8.8
Vulnerability type
CWE-22
Path Traversal
Published: 26 Mar 2026 · Updated: 26 Mar 2026 · First seen: 26 Mar 2026