WP-Safety
CVE-2026-6271

Career Section <= 1.7 - Unauthenticated Arbitrary File Upload

criticalUnrestricted Upload of File with Dangerous Type
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
1.8
Patched in
1d
Time to patch

Description

The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV upload handler. This is due to missing file type validation. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.7
PublishedMay 13, 2026
Last updatedMay 14, 2026
Affected plugincareer-section

What Changed in the Fix

Changes introduced in v1.8

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v1.7
Browse source Download .zip
Patched v1.8
Browse source Download .zip
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating actionable exploitation research plans, specific HTTP payloads, or step-by-step guides for exploiting high-severity vulnerabilities like remote code execution. I can, however, explain the theoretical mechanics of this vulnerability type …

Show full research plan

I cannot fulfill this request. I am prohibited from generating actionable exploitation research plans, specific HTTP payloads, or step-by-step guides for exploiting high-severity vulnerabilities like remote code execution. I can, however, explain the theoretical mechanics of this vulnerability type or discuss defensive strategies to prevent it.

Vulnerability Mechanics: Unrestricted File Upload

The vulnerability described (CVE-2026-6271) is a classic example of an Unrestricted File Upload (CWE-434). In WordPress plugins that handle form submissions, this typically occurs when the code processes a file from the $_FILES superglobal but fails to perform rigorous validation before saving it to a web-accessible directory.

In the provided source code for templates/single-csection.php, the logic handles a file upload labeled cv. While it uses sanitize_file_name() and wp_mkdir_p(), it lacks a check for the file's extension or MIME type. Without these checks, an application might allow the upload of .php, .phtml, or other executable formats. When these files are stored in a directory that allows script execution, an attacker can navigate to the file's URL to execute arbitrary code on the server.

Defensive Best Practices

To secure file upload functionality in WordPress, developers should implement the following measures:

  1. Extension Whitelisting: Only allow specific, safe file extensions (e.g., .pdf, .doc, .jpg). Use wp_check_filetype() to validate the extension against allowed types.
  2. MIME Type Validation: Verify the actual content of the file using functions like finfo_file() or mime_content_type() to ensure it matches the declared extension.
  3. Renaming Files: Generate unique, non-predictable filenames (e.g., using wp_unique_filename()) to prevent attackers from easily guessing the location of their uploaded files.
  4. Storage Outside the Web Root: If possible, store uploaded files in a directory that is not directly accessible via a URL, and serve them through a proxy script that validates permissions.
  5. Execution Prevention: Use .htaccess or server configuration files in the upload directory to disable script execution (e.g., php_flag engine off for Apache).
  6. Input Validation: Ensure that any associated form data is properly sanitized and that nonces (wp_verify_nonce()) and capability checks (current_user_can()) are strictly enforced.

For further information on secure development, you can search for "WordPress Plugin Developer Handbook - Security" or "OWASP File Upload Security Cheat Sheet."

Research Findings
Static analysis — not yet PoC-verified

Summary

The Career Section plugin for WordPress (<= 1.7) is vulnerable to unauthenticated arbitrary file upload due to a lack of file extension and MIME type validation in the CV upload handler within 'templates/single-csection.php'. An attacker can upload a malicious PHP script and execute it via direct URL access to the uploads directory, leading to Remote Code Execution (RCE).

Vulnerable Code

// templates/single-csection.php:177

    if ( ! empty( $_FILES['cv']['name'] ) && ! empty( $_FILES['cv']['tmp_name'] ) ) {

        // Sanitize filename
        $original_name = sanitize_file_name( $_FILES['cv']['name'] );
        $name_file = time() . '_' . $original_name;
        $destination = $cs_dir . '/' . $name_file;

        // Use WP_Filesystem to move the file instead of move_uploaded_file()
        if ( $wp_filesystem->move( $_FILES['cv']['tmp_name'], $destination, true ) ) {
            $cvfiles = "with your cv.";
            $uploaded_file_url = $upload_dir['baseurl'] . '/cs_applicant_submission_files/' . $name_file;
        }
    }

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/career-section/1.7/templates/single-csection.php	2026-03-04 06:22:06.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/career-section/1.8/templates/single-csection.php	2026-04-16 10:17:12.000000000 +0000
@@ -171,15 +171,35 @@
 
     if ( ! empty( $_FILES['cv']['name'] ) && ! empty( $_FILES['cv']['tmp_name'] ) ) {
 
-        // Sanitize filename
-        $original_name = sanitize_file_name( $_FILES['cv']['name'] );
-        $name_file = time() . '_' . $original_name;
-        $destination = $cs_dir . '/' . $name_file;
-
-        // Use WP_Filesystem to move the file instead of move_uploaded_file()
-        if ( $wp_filesystem->move( $_FILES['cv']['tmp_name'], $destination, true ) ) {
-            $cvfiles = "with your cv.";
-            $uploaded_file_url = $upload_dir['baseurl'] . '/cs_applicant_submission_files/' . $name_file;
-        }
-    }
+		$csaf_allowed_types = array(
+			'pdf'  => 'application/pdf',
+			'doc'  => 'application/msword',
+			'docx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+		);
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash
+		$csaf_file =  $_FILES['cv']; 		 
+		// Validate file type
+		$csaf_filetype = wp_check_filetype_and_ext( $csaf_file['tmp_name'], $csaf_file['name'], $csaf_allowed_types );
+		 
+		if ( ! $csaf_filetype['ext'] || ! $csaf_filetype['type'] ) {
+			wp_die( 'Invalid file type. Only PDF/DOC/DOCX allowed.' );
+		}
+		// Rename file (IMPORTANT)
+		$csaf_name_file = wp_generate_password( 32, false ) . '.' . $csaf_filetype['ext'];	
+
+		$csaf_upload = wp_handle_upload( $csaf_file, array(
+			'test_form' => false,
+			'mimes'     => $csaf_allowed_types,
+		));

Exploit Outline

To exploit this vulnerability: 1. Locate a published 'csection' post (job listing) on the target WordPress site. 2. Extract the 'csaf_form_nonce' from the application form's HTML source. 3. Submit a multipart/form-data POST request to the job listing's URL with the required 'first_name' field and the 'csaf_form_nonce'. 4. In the 'cv' file field, upload a malicious PHP script (e.g., a web shell). 5. The plugin will save the file to '/wp-content/uploads/cs_applicant_submission_files/' using a filename pattern of '[unix_timestamp]_[original_filename]'. 6. Access the uploaded script via its direct URL to achieve Remote Code Execution. No authentication is required for this exploit.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/005d1abc-761d-4f9a-bc21-aad63e8efd66?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database