CVE-2026-4758 is a path traversal vulnerability categorized under CWE-22 found in the WP Job Portal plugin for WordPress, specifically in the function WPJOBPORTALcustomfields::removeFileCustom. The vulnerability arises due to improper validation of file paths, allowing an authenticated attacker with Subscriber-level privileges or higher to delete arbitrary files on the web server. This is possible because the plugin does not adequately restrict or sanitize the pathname input, enabling traversal outside the intended directory. Deleting critical files such as wp-config.php can disrupt the WordPress installation or facilitate remote code execution by forcing the system to regenerate configuration or by enabling attackers to upload malicious files subsequently. The vulnerability affects all versions up to and including 2.4.9 of the plugin. Exploitation requires authentication but no additional user interaction, and the attack can be performed remotely over the network. The CVSS v3.1 score is 8.8 (High), reflecting the network attack vector, low attack complexity, required privileges (low), no user interaction, and high impact on confidentiality, integrity, and availability. No official patches or exploit code are currently publicly available, but the risk remains significant due to the potential for severe damage. The vulnerability was published on March 25, 2026, and assigned by Wordfence. Organizations using this plugin in their WordPress environments should consider immediate mitigation steps to prevent exploitation.

The impact of CVE-2026-4758 is substantial for organizations using the WP Job Portal plugin. Successful exploitation allows attackers with minimal privileges to delete arbitrary files on the server, which can lead to denial of service by removing essential files or enable remote code execution by deleting configuration files such as wp-config.php. This compromises the confidentiality, integrity, and availability of the affected systems. Attackers could disrupt recruitment operations, steal sensitive data, or gain persistent access to the server. Given the plugin's use in recruitment and job board websites, organizations handling personal and corporate data are at risk of data breaches and operational downtime. The vulnerability's ease of exploitation and high impact make it a critical threat to WordPress sites using this plugin, potentially affecting thousands of websites globally.

To mitigate CVE-2026-4758, organizations should immediately update the WP Job Portal plugin to a patched version once available. In the absence of an official patch, administrators should restrict plugin access to trusted users only and consider disabling or removing the plugin temporarily. Implementing web application firewall (WAF) rules to detect and block path traversal attempts targeting the removeFileCustom function can reduce risk. Additionally, hardening file system permissions to prevent deletion of critical files by the web server user can limit damage. Monitoring logs for suspicious file deletion requests and auditing user privileges to ensure minimal necessary access can further reduce exposure. Employing intrusion detection systems to alert on anomalous file operations related to the plugin is also recommended. Finally, regular backups of website files and databases should be maintained to enable rapid recovery if exploitation occurs.