Attack Vectors

WP Job Portal – AI-Powered Recruitment System for Company or Job Board website (slug: wp-job-portal) is affected by a High-severity vulnerability (CVE-2026-4306, CVSS 7.5).

The issue can be exploited without logging in (unauthenticated) over the network by sending a crafted request that manipulates the plugin’s “radius” parameter. Because no user interaction is required, attacks can be automated and scaled, increasing the likelihood of opportunistic scanning and exploitation.

Reference: CVE-2026-4306 record and Wordfence advisory source: Wordfence vulnerability details.

Security Weakness

This vulnerability is an SQL Injection caused by insufficient escaping of a user-supplied parameter and insufficient preparation of an existing database query. In practical terms, the plugin may accept attacker-controlled input and incorporate it into a database request in a way that allows the attacker to change what the database returns.

According to the published advisory, all versions up to and including 2.4.8 are affected. The recommended remediation is to update to 2.4.9 or newer, which includes a patch.

Technical or Business Impacts

The primary risk described for this issue is unauthorized extraction of sensitive information from the WordPress database. For organizations using WP Job Portal to support recruiting or job boards, this can translate into exposure of business-critical or regulated data stored in the site’s database (depending on what your instance stores), with potential downstream impacts on applicants, customers, and internal operations.

For executive and compliance stakeholders, likely business impacts include: privacy and regulatory exposure (if personal data is involved), brand and trust damage (especially if job candidate data is affected), incident response and legal costs, and disruption to recruiting pipelines while teams investigate, contain, and communicate.

Action to reduce risk: confirm whether the wp-job-portal plugin is installed on any production, staging, or microsite environments; prioritize patching to WP Job Portal 2.4.9+; and ensure monitoring/alerting is in place for unusual spikes in requests to job search or filtering endpoints where parameters like “radius” may be used.

Similar Attacks

SQL injection has a long track record of being used to expose sensitive data and trigger high-cost incidents. Examples include:

TalkTalk (2015) cyberattack (widely reported as involving SQL injection and large-scale data exposure) and
Heartland Payment Systems breach (2008) (one of the major breaches historically associated with SQL injection techniques).