CVE-2025-14293 is a path traversal vulnerability classified under CWE-22 found in the WP Job Portal plugin for WordPress, an AI-powered recruitment system used by companies and job boards. The vulnerability exists in the 'downloadCustomUploadedFile' function, which fails to properly restrict pathname inputs, allowing authenticated users with as low as Subscriber-level privileges to read arbitrary files on the server. This arbitrary file read capability enables attackers to access sensitive server files, such as configuration files, credentials, or other private data, potentially leading to information disclosure. The vulnerability requires authentication but no additional user interaction, and the attack vector is network-based with low complexity. The CVSS v3.1 score is 6.5, reflecting a medium severity primarily due to the high confidentiality impact but no impact on integrity or availability. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be considered a significant risk for affected installations. Organizations using this plugin should assess their exposure and implement compensating controls until a patch is released.

For European organizations, this vulnerability poses a risk of sensitive data exposure from recruitment or job board websites using the WP Job Portal plugin. Confidential information such as internal configuration files, user data, or credentials could be accessed by low-privileged authenticated users, potentially leading to further compromise if attackers leverage disclosed information. This can damage organizational reputation, violate data protection regulations like GDPR, and result in legal and financial consequences. The impact is particularly critical for organizations handling large volumes of personal data or operating in regulated sectors such as finance, healthcare, or government. Since the vulnerability does not affect integrity or availability, the primary concern is confidentiality breach. The ease of exploitation by authenticated users increases risk, especially in environments with many registered users or weak access controls.

To mitigate this vulnerability, European organizations should immediately restrict access to the WP Job Portal plugin functions to trusted users only, minimizing the number of accounts with Subscriber-level or higher privileges. Implement strict user role management and audit existing accounts for unnecessary privileges. Monitor web server and application logs for unusual file access patterns related to the 'downloadCustomUploadedFile' function. Employ web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting this plugin. Until an official patch is released, consider disabling the plugin or replacing it with alternative recruitment solutions that do not have this vulnerability. Additionally, ensure that sensitive files on the server are stored outside the web root or have appropriate filesystem permissions to limit exposure. Regularly update WordPress core and plugins to reduce attack surface.