CVE-2025-26935
Published: 25 February 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-26935 is a path traversal vulnerability in the WP Job Portal plugin (wp-job-portal) for WordPress, specifically exploiting the '.../...//' sequence to enable PHP local file inclusion (LFI). This flaw affects all versions of the plugin up to and including 2.2.8, with no lower bound specified. Mapped to CWE-35 (Path Traversal) and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high potential impact despite elevated exploitation complexity.
The vulnerability can be exploited remotely over the network by an attacker with low privileges, such as an authenticated user with subscriber-level access or equivalent. Exploitation requires high attack complexity, likely due to specific input conditions or plugin states, but needs no user interaction from victims. Successful attacks enable high-impact confidentiality, integrity, and availability violations through LFI, potentially allowing arbitrary local file reads or PHP code execution if sensitive files like configuration or web shells are targeted.
For mitigation details, refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-plugin-2-2-8-local-file-inclusion-vulnerability?_s_id=cve, which documents the issue and likely recommends updating to a patched version beyond 2.2.8 or applying available defenses.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal leading to LFI in a public-facing WordPress plugin directly maps to exploiting internet-facing applications (T1190); the requirement for low-privileged auth (subscriber) combined with high CIA impact enables privilege escalation via software vulnerability exploitation (T1068).