CVE-2026-6271
CRITICALCareer Section <= 1.7 - Unauthenticated Arbitrary File Upload
Title source: cnaExploitation Summary
EIP tracks 1 public exploit for CVE-2026-6271. PoCs published by xxconi.
AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-6271, targeting the Career Section WordPress Plugin (≤1.7). The exploit demonstrates unauthenticated arbitrary file upload leading to remote code execution by leveraging a public nonce and MIME spoofing to upload a PHP shell.
Description
The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV upload handler. This is due to missing file type validation. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible.
Exploits (1)
This repository contains a functional exploit for CVE-2026-6271, targeting the Career Section WordPress Plugin (≤1.7). The exploit demonstrates unauthenticated arbitrary file upload leading to remote code execution by leveraging a public nonce and MIME spoofing to upload a PHP shell.
References (4)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H