CVE-2026-6271CRITICAL 9.8EPSS p46.9%

CVE-2026-6271CVE-2026-6271

Description

The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV upload handler. This is due to missing file type validation. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.66% probability of exploitation · percentile 46.9% · 2026-06-18T12:00:27Z
Published2026-05-14
Last modified2026-05-14

Underlying weaknesses· 1

CWE-434

References

  1. https://plugins.trac.wordpress.org/changeset/3507785/career-section
  2. https://plugins.trac.wordpress.org/changeset/3507912/career-section
  3. https://plugins.trac.wordpress.org/changeset/3507917/career-section
  4. https://www.wordfence.com/threat-intel/vulnerabilities/id/005d1abc-761d-4f9a-bc21-aad63e8efd66?source=cve

1

TypeTargetConfidenceTier
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-12153
CVE
CVE-2026-4882
CVE
CVE-2026-1756
CVE
CVE-2025-2005
CVE
CVE-2025-4279
CVE
CVE-2025-11170
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.