Critical severity9.8NVD Advisory· Published May 14, 2026· Updated May 14, 2026

CVE-2026-6271

Description

The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV upload handler. This is due to missing file type validation. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible.

Affected products

WordPress/Career Sectioninferred
Range: <=1.7
Package: https://wordpress.org/plugins/career-section

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changeset/3507785/career-sectionnvd
plugins.trac.wordpress.org/changeset/3507912/career-sectionnvd
plugins.trac.wordpress.org/changeset/3507917/career-sectionnvd
www.wordfence.com/threat-intel/vulnerabilities/id/005d1abc-761d-4f9a-bc21-aad63e8efd66nvd

News mentions

Wordfence Intelligence Weekly WordPress Vulnerability Report (April 13, 2026 to April 19, 2026)
Wordfence Blog · Apr 23, 2026

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000