Attack Vectors

CVE-2026-4758 is a High-severity issue (CVSS 8.8) affecting WP Job Portal – AI-Powered Recruitment System for Company or Job Board website (slug: wp-job-portal) versions 2.4.9 and earlier. The vulnerability is authenticated, meaning an attacker needs a valid login, but only at the Subscriber role (or higher), which is commonly available on sites that allow candidate registrations.

The attack path leverages the plugin’s resume-related custom file field functionality. By submitting crafted requests that manipulate file references, an attacker can trigger arbitrary file deletion without proper safeguards. Because no user interaction is required once the attacker is logged in, this can be executed quickly and repeatedly.

Security Weakness

The core weakness is insufficient file path validation in the plugin function WPJOBPORTALcustomfields::removeFileCustom. In practical terms, the plugin does not adequately confirm that a targeted file for deletion is confined to an expected, safe directory (for example, only a user’s own uploaded resume file).

This gap can allow an authenticated user to request deletion of files outside normal upload locations. When a web application can delete arbitrary server files, it becomes a critical stepping-stone for broader compromise—especially in WordPress, where certain files are essential for secure operation and continuity.

Technical or Business Impacts

From a business-risk perspective, arbitrary file deletion can lead to immediate site disruption and potentially full website compromise. The disclosure notes that deleting the “right” file (for example, wp-config.php) can “easily lead to remote code execution,” which may allow an attacker to take control of the WordPress site.

Likely outcomes for marketing leaders and executives include:

• Website outage and campaign disruption: Deleted files can break the site, landing pages, application flows, and tracking scripts—impacting lead generation and recruiting pipelines.

• Data exposure and brand damage: If compromise escalates, attackers may access sensitive business data, candidate information, or administrative controls, creating privacy and reputation consequences.

• Financial and compliance impact: Incident response, downtime, and possible notification obligations can drive unplanned costs and compliance scrutiny—especially for organizations collecting candidate data.

Remediation: Update WP Job Portal to version 2.5.0 or newer (patched). Review whether Subscriber registrations are required, and limit account creation where feasible. For official vulnerability details, see the CVE entry at https://www.cve.org/CVERecord?id=CVE-2026-4758 and the source advisory at Wordfence Threat Intelligence.