WP Job Portal Plugin SQL Injection Vulnerability

The WP Job Portal plugin for WordPress, a widely used plugin for managing job listings, is susceptible to SQL Injection attacks. This vulnerability, identified as CVE-2026-4306, affects all versions up to and including 2.4.8. The flaw stems from the insufficient sanitization of the ‘radius’ parameter, which is directly incorporated into SQL queries without proper escaping. This lack of input validation enables unauthenticated attackers to inject malicious SQL code into the application’s database queries. Successful exploitation could lead to the unauthorized disclosure of sensitive information stored within the WordPress database. Given the popularity of WordPress and the WP Job Portal plugin, a successful attack could impact a large number of websites and expose confidential data, including user credentials, financial details, and other sensitive information.

Attack Chain

1. An unauthenticated attacker crafts a malicious HTTP request targeting the WordPress website running the vulnerable WP Job Portal plugin.
2. The attacker appends a SQL injection payload to the ‘radius’ parameter within the HTTP request.
3. The vulnerable plugin receives the request and incorporates the unsanitized ‘radius’ parameter into an SQL query within includes/ajax.php or modules/job/model.php.
4. The injected SQL code is executed against the WordPress database due to the lack of proper input validation and escaping.
5. The attacker leverages the SQL injection to extract sensitive information from the database, such as user credentials, API keys, or other confidential data.
6. The extracted data may be exfiltrated from the server using various techniques.
7. The attacker could potentially use the compromised data to gain further access to the WordPress site or connected systems.

Impact

Successful exploitation of this SQL Injection vulnerability (CVE-2026-4306) could lead to the complete compromise of the WordPress database. Attackers could gain access to sensitive information, including user credentials, customer data, and confidential business information. The vulnerability impacts all users running WP Job Portal plugin versions 2.4.8 and earlier. The CVSS v3.1 score is 7.5, indicating a high severity risk. The impact includes unauthorized data access.

Recommendation

• Upgrade the WP Job Portal plugin to version 2.4.9 or later to patch the SQL Injection vulnerability (CVE-2026-4306).
• Deploy a web application firewall (WAF) with rules to detect and block SQL Injection attempts targeting the ‘radius’ parameter in WordPress plugins.
• Enable detailed logging for your web server (category “webserver”, product “linux|windows”) to monitor for suspicious activity and potential exploitation attempts.