CVE-2026-4758 Overview
The WP Job Portal plugin for WordPress contains an arbitrary file deletion vulnerability in the WPJOBPORTALcustomfields::removeFileCustom function. This path traversal flaw (CWE-22) results from insufficient file path validation, enabling authenticated attackers with Subscriber-level privileges or higher to delete arbitrary files on the server. Successful exploitation can lead to remote code execution when critical files such as wp-config.php are deleted, potentially compromising the entire WordPress installation.
Critical Impact
Authenticated attackers can delete arbitrary files on the server, including wp-config.php, leading to potential remote code execution and complete site compromise.
Affected Products
- WP Job Portal plugin for WordPress versions up to and including 2.4.9
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-4758 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-4758
Vulnerability Analysis
This vulnerability is classified as a Path Traversal (CWE-22) issue affecting the WP Job Portal plugin's custom fields functionality. The vulnerable code resides in the WPJOBPORTALcustomfields::removeFileCustom function located in the customfields.php file. The function fails to properly sanitize and validate user-supplied file path inputs before processing deletion operations.
The attack can be executed over the network without user interaction. An attacker requires only low-privilege authentication (Subscriber-level access) to exploit this vulnerability. Once exploited, the attacker gains the ability to delete any file on the server that the web server process has write permissions to.
The most severe impact scenario involves deleting the wp-config.php file, which contains WordPress database credentials and security keys. Removing this file can trigger WordPress's installation routine, allowing an attacker to reconfigure the site with attacker-controlled credentials, effectively achieving remote code execution.
Root Cause
The root cause of this vulnerability lies in insufficient file path validation within the removeFileCustom function. The function accepts user-controlled input for file paths without properly sanitizing directory traversal sequences (such as ../) or validating that the target file resides within an expected directory. This allows attackers to construct malicious file paths that traverse outside the intended directory structure and target arbitrary files on the server.
Attack Vector
The attack is executed over the network by authenticated users with Subscriber-level access or higher. An attacker sends a crafted request to the removeFileCustom function endpoint, including a malicious file path containing directory traversal sequences. The function processes this input without adequate validation and deletes the specified file. This requires no user interaction and can be performed with minimal technical sophistication once the vulnerable endpoint is identified.
The vulnerability mechanism involves path traversal sequences being passed to file deletion operations. The removeFileCustom function in customfields.php at line 1558 processes file removal requests without verifying that the target path is within the allowed upload directory. For detailed technical analysis, see the Wordfence Vulnerability Analysis and the vulnerable source code on WordPress Trac.
Detection Methods for CVE-2026-4758
Indicators of Compromise
- Unexpected deletion of critical WordPress files, particularly wp-config.php, .htaccess, or plugin/theme files
- HTTP requests containing path traversal sequences (../) targeting the WP Job Portal plugin endpoints
- WordPress installation/setup wizard appearing unexpectedly on an established site
- Web server error logs showing file not found errors for files that should exist
- Audit logs showing file deletion operations from the WP Job Portal plugin functionality
Detection Strategies
- Monitor web application logs for requests containing directory traversal patterns (../, ..%2F, %2e%2e/) targeting WP Job Portal endpoints
- Implement file integrity monitoring on critical WordPress files including wp-config.php, index.php, and core files
- Configure WAF rules to detect and block path traversal attempts in request parameters
- Enable WordPress audit logging to track file operations initiated through plugin functions
Monitoring Recommendations
- Deploy file integrity monitoring solutions to detect unauthorized modifications or deletions of WordPress core files
- Implement real-time alerting for deletion of wp-config.php or other critical configuration files
- Monitor authentication logs for unusual activity from Subscriber-level accounts
- Review web server access logs for anomalous patterns of requests to WP Job Portal custom field endpoints
How to Mitigate CVE-2026-4758
Immediate Actions Required
- Update WP Job Portal plugin to version 2.5.0 or later immediately
- Review web server logs for indicators of exploitation attempts
- Verify integrity of critical WordPress files, especially wp-config.php
- Consider temporarily disabling the WP Job Portal plugin if immediate patching is not possible
- Audit Subscriber-level user accounts for any suspicious or unauthorized accounts
Patch Information
The vulnerability has been addressed in WP Job Portal version 2.5.0. The patch introduces proper file path validation in the removeFileCustom function to prevent directory traversal attacks. The patched code can be reviewed in the WordPress Plugin Repository. Administrators should update to version 2.5.0 or later through the WordPress plugin update mechanism.
Workarounds
- If immediate patching is not possible, temporarily deactivate the WP Job Portal plugin until the update can be applied
- Implement Web Application Firewall (WAF) rules to block requests containing path traversal patterns targeting the plugin
- Restrict or remove Subscriber-level user registrations if the feature is not required for site operation
- Apply file system permissions to make critical files read-only where possible, limiting potential damage from exploitation
# Protect wp-config.php with restrictive permissions
chmod 400 wp-config.php
# Set ownership to prevent web server from modifying
chown root:root wp-config.php
# Add .htaccess protection for wp-config.php
echo '<files wp-config.php>
order allow,deny
deny from all
</files>' >> .htaccess
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
