CVE-2026-4758

Name of the Vulnerable Software and Affected Versions WP Job Portal versions prior to 2.4.9

Description The WP Job Portal plugin for WordPress is susceptible to arbitrary file deletion. This is due to inadequate file path validation within the WPJOBPORTALcustomfields::removeFileCustom function. Authenticated attackers with Subscriber-level access or higher can delete arbitrary files on the server. Deletion of specific files, such as wp-config.php, could lead to remote code execution. The removeFileCustom function is the point of failure.

Recommendations Update WP Job Portal to a version later than 2.4.9.