Security Alert Summary
The WP Job Portal plugin for WordPress is affected by an SQL injection vulnerability via the radius parameter in versions up to and including 2.4.8. An unauthenticated attacker can supply crafted input that is insufficiently escaped, allowing additional SQL to be appended to existing queries and enabling extraction of sensitive database information.
CVE Details
- CVE ID: CVE-2026-4306
- Affected component: WP Job Portal plugin for WordPress
- Affected versions: All versions up to and including 2.4.8
- Published: March 23, 2026 11:17:13 PM UTC
- Last modified: March 24, 2026 3:53:48 PM UTC
- CVSS v3.1: Base Score 7.5, Severity HIGH, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Authentication / privileges / user interaction: No authentication required; Privileges Required: NONE; User Interaction: NONE
- Primary impact: Confidentiality: HIGH; Integrity: NONE; Availability: NONE
- Weakness (CWE): CWE-89 (SQL Injection)
Technical Details
The vulnerability exists because user-supplied input provided to the radius parameter is not sufficiently escaped and the underlying SQL query is not properly prepared, allowing an attacker to append additional SQL statements to an existing query. The CVE description identifies the radius parameter as the entry point. Relevant code references point at plugin files such as includes/ajax.php and modules/job/model.php, where the vulnerable handling occurs.
An unauthenticated attacker able to craft a malicious radius value can cause the application to execute the injected SQL that may return sensitive data from the database. The issue is a classic SQL injection scenario due to insufficient input escaping and lack of parameterized queries.
How This Could Impact Your Website
In a realistic scenario, a site owner runs the WP Job Portal plugin while internal staff and external contractors manage job listings and applicant data. Because the vulnerability can be exploited without authentication, an attacker could extract information stored in the site database, such as user records or applicant details. This can lead to exposure of internal user email addresses and other sensitive fields, increasing the risk of targeted phishing or social engineering against staff and contractors. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor-level accounts and any accounts that are not actively used.
- Enforce strong passwords and enable two-factor authentication for editor and administrator accounts.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual queries or behavior that could indicate exploitation.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.4.7/includes/ajax.php#L10
- https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.4.7/modules/job/model.php#L2743
- https://plugins.trac.wordpress.org/changeset?old_path=/wp-job-portal/tags/2.4.8&new_path=/wp-job-portal/tags/2.4.9
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ecc34552-c9b0-455f-b1c7-b31cc847cb22?source=cve
