An unauthenticated arbitrary file upload vulnerability in the Career Section plugin for WordPress allows attackers to execute remote code on the server.

This is an arbitrary file upload vulnerability caused by the lack of proper file type validation within the CV upload handler. An unauthenticated attacker can upload malicious executable files, such as web shells, leading to full remote code execution.

With a CVSS score of 9.8, this vulnerability is critical. An attacker can gain full administrative control over the web server, leading to site defacement, data theft, and potential lateral movement into the hosting infrastructure.

Immediate Action: Update the Career Section plugin to the latest available version that contains the fix for file type validation.

Proactive Monitoring: Scan the web server's upload directories for suspicious file extensions (.php, .phtml, .exe) and review server access logs for unusual POST requests to the upload handler.

Compensating Controls: Use a Web Application Firewall (WAF) to block requests containing suspicious file extensions or unauthorized file upload attempts.

Public Exploit Available: Unknown

File upload vulnerabilities are high-value targets for attackers. Organizations using this plugin must verify if they are running version 1.7 or lower and apply the update immediately. If an update is unavailable, disable the plugin until a secure version is released.