CVE-2026-6271
CRITICAL · 9.8Fresh disclosure, no PoC/KEV/exploitation signals yet; chatter is advisory amplification.
What: Career Section WordPress plugin vulnerable to unauthenticated arbitrary file upload leading to remote code execution in all versions ≤1.7 (CVSS 9.8 CRITICAL).
Why it matters: Published today with CVSS 9.8 and no patch available. Affects unauthenticated attackers uploading executable files via CV handler. Not yet KEV-listed, but social chatter is immediate and widespread. No confirmed PoC or in-the-wild exploitation reported yet.
Where it's seen: Security researchers and automated CVE feeds posting advisory summaries within hours of NVD publication. One vendor security account flagging "no patch yet." Mostly retweets of the same disclosure across Bluesky and Twitter.
RISK: CRITICAL — Unauthenticated RCE in popular WordPress plugin; no patch available; high CVSS.
Description
The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV upload handler. This is due to missing file type validation. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H- Attack vector
- Network
- Complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Weaknesses
References
- https://plugins.trac.wordpress.org/changeset/3507785/career-section
- https://plugins.trac.wordpress.org/changeset/3507912/career-section
- https://plugins.trac.wordpress.org/changeset/3507917/career-section
- https://www.wordfence.com/threat-intel/vulnerabilities/id/005d1abc-761d-4f9a-bc21-aad63e8efd66?source=cve