CVE-2025-26935
Published: 25 February 2025
Summary
CVE-2025-26935 is a high-severity Path Traversal: '.../...//' (CWE-35) vulnerability in Wpjobportal Wp Job Portal. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely patching and updating of the vulnerable WP Job Portal plugin versions <=2.2.8 to eliminate the path traversal flaw.
Prevents exploitation of the path traversal vulnerability by enforcing validation of file path inputs to block sequences like '.../...//' that enable PHP LFI.
Identifies the path traversal vulnerability in the WP Job Portal plugin through regular vulnerability scanning, enabling proactive detection and response.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal leading to LFI in a public-facing WordPress plugin directly maps to exploiting internet-facing applications (T1190); the requirement for low-privileged auth (subscriber) combined with high CIA impact enables privilege escalation via software vulnerability exploitation (T1068).
NVD Description
Path Traversal: '.../...//' vulnerability in wpjobportal WP Job Portal wp-job-portal allows PHP Local File Inclusion.This issue affects WP Job Portal: from n/a through <= 2.2.8.
Deeper analysisAI
CVE-2025-26935 is a path traversal vulnerability in the WP Job Portal plugin (wp-job-portal) for WordPress, specifically exploiting the '.../...//' sequence to enable PHP local file inclusion (LFI). This flaw affects all versions of the plugin up to and including 2.2.8, with no lower bound specified. Mapped to CWE-35 (Path Traversal) and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high potential impact despite elevated exploitation complexity.
The vulnerability can be exploited remotely over the network by an attacker with low privileges, such as an authenticated user with subscriber-level access or equivalent. Exploitation requires high attack complexity, likely due to specific input conditions or plugin states, but needs no user interaction from victims. Successful attacks enable high-impact confidentiality, integrity, and availability violations through LFI, potentially allowing arbitrary local file reads or PHP code execution if sensitive files like configuration or web shells are targeted.
For mitigation details, refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-plugin-2-2-8-local-file-inclusion-vulnerability?_s_id=cve, which documents the issue and likely recommends updating to a patched version beyond 2.2.8 or applying available defenses.
Details
- CWE(s)