How is CVE-2026-42684 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP/HTTPS from any external or internal network position. Authentication (not-required): No account or session credentials of any kind are needed; the injection point is accessible to anonymous requests. Victim interaction (not-required): The attack is fully server-side and requires no action from any user or administrator of the affected site. Attack complexity (info): Exploitation is reliable and condition-free once the service is reachable, though blind injection techniques require iterative querying to extract data rather than a single direct response.

What is the impact of CVE-2026-42684?

An attacker can extract the full contents of the WordPress database, including user credentials (hashed passwords), email addresses, private job listings, and applicant records. Because the CVSS scope is Changed (S:C), the impact can extend beyond the plugin itself to other data stored in the shared database instance, such as tables belonging to other plugins or the WordPress core. Availability impact is rated Low: the injection queries can degrade database responsiveness or cause intermittent errors for legitimate users, though a full service crash is not the primary risk.

Back to search

CRITICALCVE-2026-42684Published 2026-06-02Modified 2026-06-02CNA Patchstack

CVE-2026-42684: WordPress WP Job Portal plugin <= 2.5.1 - SQL Injection vulnerability

Q: What is CVE-2026-42684?

An unauthenticated SQL injection vulnerability affects the WP Job Portal WordPress plugin at version 2.5.1 and earlier. The flaw is reachable over the network with no credentials required, and successful exploitation uses a blind injection technique to extract data from the underlying database across scope boundaries. An attacker can read sensitive application data from the database and cause limited disruption to availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

Q: Is CVE-2026-42684 patched?

No upstream fix has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and a PR opened against affected workloads will follow without manual intervention.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ahmad WP Job Portal allows Blind SQL Injection. This issue affects WP Job Portal: from n/a through 2.5.1.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability affects the WP Job Portal WordPress plugin at version 2.5.1 and earlier. The flaw is reachable over the network with no credentials required, and successful exploitation uses a blind injection technique to extract data from the underlying database across scope boundaries. An attacker can read sensitive application data from the database and cause limited disruption to availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built WordPress-based images running WP Job Portal. Any image found to contain an affected version of the plugin is flagged immediately.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 9.3 Critical and weighting it further against each environment's compliance policy to reflect the unauthenticated, network-exposed nature of the flaw. Triage results are routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

No upstream fix has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and a PR opened against affected workloads will follow without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP/HTTPS from any external or internal network position.
AuthenticationNot required
No account or session credentials of any kind are needed; the injection point is accessible to anonymous requests.
Victim interactionNot required
The attack is fully server-side and requires no action from any user or administrator of the affected site.
Attack complexityDetail
Exploitation is reliable and condition-free once the service is reachable, though blind injection techniques require iterative querying to extract data rather than a single direct response.

Blast Radius

An attacker can extract the full contents of the WordPress database, including user credentials (hashed passwords), email addresses, private job listings, and applicant records.
Because the CVSS scope is Changed (S:C), the impact can extend beyond the plugin itself to other data stored in the shared database instance, such as tables belonging to other plugins or the WordPress core.
Availability impact is rated Low: the injection queries can degrade database responsiveness or cause intermittent errors for legitimate users, though a full service crash is not the primary risk.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-42684, the platform monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild automatically as soon as a fix version is published. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads, with no manual steps required. In the interim, compensating controls worth evaluating include network-policy rules that restrict public access to affected WordPress endpoints, web application firewall rules targeting SQL metacharacter patterns in relevant request parameters, and disabling the WP Job Portal plugin where the feature is not actively needed. Where compliance policy permits, HarborGuard can surface these compensating-control recommendations directly in the triage ticket routed to the owning team.

See how HarborGuard automates this

Affected packages

Ahmad / WP Job Portal
≤ 2.5.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified