CVE-2026-6271

CRITICAL

Career Section <= 1.7 - Unauthenticated Arbitrary File Upload

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-6271. PoCs published by xxconi.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-6271, targeting the Career Section WordPress Plugin (≤1.7). The exploit demonstrates unauthenticated arbitrary file upload leading to remote code execution by leveraging a public nonce and MIME spoofing to upload a PHP shell.

Description

The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV upload handler. This is due to missing file type validation. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible.

Exploits (1)

github WORKING POC
by xxconi · pythonpoc
https://github.com/xxconi/CVE-2026-6271

This repository contains a functional exploit for CVE-2026-6271, targeting the Career Section WordPress Plugin (≤1.7). The exploit demonstrates unauthenticated arbitrary file upload leading to remote code execution by leveraging a public nonce and MIME spoofing to upload a PHP shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Career Section WordPress Plugin ≤ 1.7
No auth needed
Prerequisites: Target must have the Career Section plugin installed and active (≤1.7) · At least one job listing must be published
mistral-large-3 · analyzed May 26, 2026 Full analysis →

Scores

CVSS v3 9.8
EPSS 0.0066
EPSS Percentile 47.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
shahinurislam/Career Section < 1.7
Published May 14, 2026
Tracked Since May 14, 2026