CVE-2025-14467
Unknown Unknown - Not Provided
Stored XSS in WP Job Portal Plugin Allows Script Injection

Publication date: 2025-12-12

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The WP Job Portal plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.4. This is due to the plugin explicitly whitelisting the `
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2025-12-12
EPSS Evaluated
2026-06-14
NVD
CVE-2025-14467
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_job_portal wp_job_portal *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the WP Job Portal plugin for WordPress, affecting all versions up to 2.3.9. It occurs because the plugin explicitly allows the <script> tag in its allowed tags configuration and does not properly sanitize input when saving job descriptions. Authenticated users with Editor-level access or higher can inject malicious scripts into job descriptions, which then execute when other users view those pages.

Impact Analysis

The vulnerability allows attackers with Editor-level access or higher to inject arbitrary scripts into job descriptions. These scripts can execute in the context of users viewing the affected pages, potentially leading to session hijacking, credential theft, and other malicious activities. This can compromise user accounts and site security, especially in multi-site installations or where unfiltered_html is disabled.

Mitigation Strategies

To mitigate this vulnerability, immediately update the WP Job Portal plugin to a version later than 2.3.9 where the issue is fixed. Additionally, ensure that your WordPress installation is not a multi-site setup or that unfiltered_html is enabled if multi-site is necessary. Limit Editor-level access to trusted users only, and consider applying additional input sanitization or security plugins to prevent script injection.

Detection Guidance

This vulnerability involves stored Cross-Site Scripting (XSS) in the WP Job Portal plugin versions up to 2.3.9, where authenticated users with Editor-level access can inject malicious scripts into job descriptions. Detection involves identifying injected <script> tags or suspicious JavaScript code within job description fields in the WordPress database. Since the plugin explicitly whitelists the <script> tag, scanning the job descriptions for script tags is key. You can detect this by querying the WordPress database for job descriptions containing <script> tags. For example, using a MySQL command to search the job descriptions field in the jobs table for occurrences of '<script>' can help identify injected scripts. A sample SQL command might be: ```sql SELECT id, job_description FROM wp_wpjobportal_jobs WHERE job_description LIKE '%<script>%'; ``` Replace `wp_wpjobportal_jobs` with the actual table name prefix used in your installation. Additionally, monitoring HTTP responses for unexpected script content in job description pages or using web application scanners that detect stored XSS payloads in the affected plugin can help. Note that this vulnerability only affects multi-site installations or those with unfiltered_html disabled, so verifying these conditions is also important.

Compliance Impact

The provided resources and context do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14467. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart