CVE-2025-26935: 
WordPress vulnerability analysis and mitigation

The WP Job Portal WordPress plugin contains a Local File Inclusion vulnerability (CVE-2025-26935) discovered in versions up to and including 2.2.8. The vulnerability was publicly disclosed on February 23, 2025, and affects authenticated users with contributor-level access or higher. A patch was released in version 2.2.9 to address this security issue (WPScan, Patchstack).

The vulnerability allows authenticated attackers with contributor-level privileges to include and execute arbitrary files on the server. This could potentially lead to the execution of any PHP code contained within those files. The vulnerability has been assigned a CVSS score of 8.8 (high) according to WPScan, while Patchstack rates it at 7.5 (low). The issue is classified under OWASP Top 10 category A1: Injection and CWE-98 (WPScan, Patchstack).

The vulnerability could allow attackers to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. Files containing credentials, such as database configuration files, could potentially be accessed, leading to complete database compromise depending on the server configuration (WPScan, Patchstack).

The vulnerability has been patched in WP Job Portal version 2.2.9. Site administrators are advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update functionality for vulnerable plugins as an additional security measure (Patchstack).