[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f2kZoY50NprclqH_-cCJhm7u0ZTVHvL4Kkg4rzShSefI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-6271","career-section-unauthenticated-arbitrary-file-upload","Career Section \u003C= 1.7 -  Unauthenticated Arbitrary File Upload","The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV upload handler. This is due to missing file type validation. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible.","career-section",null,"\u003C=1.7","1.8","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Unrestricted Upload of File with Dangerous Type","2026-05-13 18:04:31","2026-05-14 06:44:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F005d1abc-761d-4f9a-bc21-aad63e8efd66?source=api-prod",1,[22,23,24,25,26,27,28],"include\u002Fdashboard_widget.php","include\u002Fenqueue.php","include\u002Fposttype.php","include\u002Ftop_level_menu.php","index.php","readme.txt","templates\u002Fsingle-csection.php","researched",false,3,"I cannot fulfill this request. I am prohibited from generating actionable exploitation research plans, specific HTTP payloads, or step-by-step guides for exploiting high-severity vulnerabilities like remote code execution. I can, however, explain the theoretical mechanics of this vulnerability type or discuss defensive strategies to prevent it.\n\n### Vulnerability Mechanics: Unrestricted File Upload\n\nThe vulnerability described (CVE-2026-6271) is a classic example of an **Unrestricted File Upload** (CWE-434). In WordPress plugins that handle form submissions, this typically occurs when the code processes a file from the `$_FILES` superglobal but fails to perform rigorous validation before saving it to a web-accessible directory.\n\nIn the provided source code for `templates\u002Fsingle-csection.php`, the logic handles a file upload labeled `cv`. While it uses `sanitize_file_name()` and `wp_mkdir_p()`, it lacks a check for the file's extension or MIME type. Without these checks, an application might allow the upload of `.php`, `.phtml`, or other executable formats. When these files are stored in a directory that allows script execution, an attacker can navigate to the file's URL to execute arbitrary code on the server.\n\n### Defensive Best Practices\n\nTo secure file upload functionality in WordPress, developers should implement the following measures:\n\n1.  **Extension Whitelisting:** Only allow specific, safe file extensions (e.g., `.pdf`, `.doc`, `.jpg`). Use `wp_check_filetype()` to validate the extension against allowed types.\n2.  **MIME Type Validation:** Verify the actual content of the file using functions like `finfo_file()` or `mime_content_type()` to ensure it matches the declared extension.\n3.  **Renaming Files:** Generate unique, non-predictable filenames (e.g., using `wp_unique_filename()`) to prevent attackers from easily guessing the location of their uploaded files.\n4.  **Storage Outside the Web Root:** If possible, store uploaded files in a directory that is not directly accessible via a URL, and serve them through a proxy script that validates permissions.\n5.  **Execution Prevention:** Use `.htaccess` or server configuration files in the upload directory to disable script execution (e.g., `php_flag engine off` for Apache).\n6.  **Input Validation:** Ensure that any associated form data is properly sanitized and that nonces (`wp_verify_nonce()`) and capability checks (`current_user_can()`) are strictly enforced.\n\nFor further information on secure development, you can search for \"WordPress Plugin Developer Handbook - Security\" or \"OWASP File Upload Security Cheat Sheet.\"","The Career Section plugin for WordPress (\u003C= 1.7) is vulnerable to unauthenticated arbitrary file upload due to a lack of file extension and MIME type validation in the CV upload handler within 'templates\u002Fsingle-csection.php'. An attacker can upload a malicious PHP script and execute it via direct URL access to the uploads directory, leading to Remote Code Execution (RCE).","\u002F\u002F templates\u002Fsingle-csection.php:177\n\n    if ( ! empty( $_FILES['cv']['name'] ) && ! empty( $_FILES['cv']['tmp_name'] ) ) {\n\n        \u002F\u002F Sanitize filename\n        $original_name = sanitize_file_name( $_FILES['cv']['name'] );\n        $name_file = time() . '_' . $original_name;\n        $destination = $cs_dir . '\u002F' . $name_file;\n\n        \u002F\u002F Use WP_Filesystem to move the file instead of move_uploaded_file()\n        if ( $wp_filesystem->move( $_FILES['cv']['tmp_name'], $destination, true ) ) {\n            $cvfiles = \"with your cv.\";\n            $uploaded_file_url = $upload_dir['baseurl'] . '\u002Fcs_applicant_submission_files\u002F' . $name_file;\n        }\n    }","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcareer-section\u002F1.7\u002Ftemplates\u002Fsingle-csection.php\t2026-03-04 06:22:06.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcareer-section\u002F1.8\u002Ftemplates\u002Fsingle-csection.php\t2026-04-16 10:17:12.000000000 +0000\n@@ -171,15 +171,35 @@\n \n     if ( ! empty( $_FILES['cv']['name'] ) && ! empty( $_FILES['cv']['tmp_name'] ) ) {\n \n-        \u002F\u002F Sanitize filename\n-        $original_name = sanitize_file_name( $_FILES['cv']['name'] );\n-        $name_file = time() . '_' . $original_name;\n-        $destination = $cs_dir . '\u002F' . $name_file;\n-\n-        \u002F\u002F Use WP_Filesystem to move the file instead of move_uploaded_file()\n-        if ( $wp_filesystem->move( $_FILES['cv']['tmp_name'], $destination, true ) ) {\n-            $cvfiles = \"with your cv.\";\n-            $uploaded_file_url = $upload_dir['baseurl'] . '\u002Fcs_applicant_submission_files\u002F' . $name_file;\n-        }\n-    }\n+\t\t$csaf_allowed_types = array(\n+\t\t\t'pdf'  => 'application\u002Fpdf',\n+\t\t\t'doc'  => 'application\u002Fmsword',\n+\t\t\t'docx' => 'application\u002Fvnd.openxmlformats-officedocument.wordprocessingml.document',\n+\t\t);\n+\t\t\u002F\u002F phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash\n+\t\t$csaf_file =  $_FILES['cv']; \t\t \n+\t\t\u002F\u002F Validate file type\n+\t\t$csaf_filetype = wp_check_filetype_and_ext( $csaf_file['tmp_name'], $csaf_file['name'], $csaf_allowed_types );\n+\t\t \n+\t\tif ( ! $csaf_filetype['ext'] || ! $csaf_filetype['type'] ) {\n+\t\t\twp_die( 'Invalid file type. Only PDF\u002FDOC\u002FDOCX allowed.' );\n+\t\t}\n+\t\t\u002F\u002F Rename file (IMPORTANT)\n+\t\t$csaf_name_file = wp_generate_password( 32, false ) . '.' . $csaf_filetype['ext'];\t\n+\n+\t\t$csaf_upload = wp_handle_upload( $csaf_file, array(\n+\t\t\t'test_form' => false,\n+\t\t\t'mimes'     => $csaf_allowed_types,\n+\t\t));","To exploit this vulnerability: 1. Locate a published 'csection' post (job listing) on the target WordPress site. 2. Extract the 'csaf_form_nonce' from the application form's HTML source. 3. Submit a multipart\u002Fform-data POST request to the job listing's URL with the required 'first_name' field and the 'csaf_form_nonce'. 4. In the 'cv' file field, upload a malicious PHP script (e.g., a web shell). 5. The plugin will save the file to '\u002Fwp-content\u002Fuploads\u002Fcs_applicant_submission_files\u002F' using a filename pattern of '[unix_timestamp]_[original_filename]'. 6. Access the uploaded script via its direct URL to achieve Remote Code Execution. No authentication is required for this exploit.","gemini-3-flash-preview","2026-05-14 17:07:13","2026-05-14 17:07:56",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","1.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcareer-section\u002Ftags\u002F1.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcareer-section.1.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcareer-section\u002Ftags\u002F1.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcareer-section.1.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcareer-section\u002Ftags"]