CVE-2025-14467
Stored XSS in WP Job Portal Plugin Allows Script Injection
Publication date: 2025-12-12
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_job_portal | wp_job_portal | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves stored Cross-Site Scripting (XSS) in the WP Job Portal plugin versions up to 2.3.9, where authenticated users with Editor-level access can inject malicious scripts into job descriptions. Detection involves identifying injected <script> tags or suspicious JavaScript code within job description fields in the WordPress database. Since the plugin explicitly whitelists the <script> tag, scanning the job descriptions for script tags is key. You can detect this by querying the WordPress database for job descriptions containing <script> tags. For example, using a MySQL command to search the job descriptions field in the jobs table for occurrences of '<script>' can help identify injected scripts. A sample SQL command might be: ```sql SELECT id, job_description FROM wp_wpjobportal_jobs WHERE job_description LIKE '%<script>%'; ``` Replace `wp_wpjobportal_jobs` with the actual table name prefix used in your installation. Additionally, monitoring HTTP responses for unexpected script content in job description pages or using web application scanners that detect stored XSS payloads in the affected plugin can help. Note that this vulnerability only affects multi-site installations or those with unfiltered_html disabled, so verifying these conditions is also important.
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the WP Job Portal plugin for WordPress, affecting all versions up to 2.3.9. It occurs because the plugin explicitly allows the <script> tag in its allowed tags configuration and does not properly sanitize input when saving job descriptions. Authenticated users with Editor-level access or higher can inject malicious scripts into job descriptions, which then execute when other users view those pages.
How can this vulnerability impact me? :
The vulnerability allows attackers with Editor-level access or higher to inject arbitrary scripts into job descriptions. These scripts can execute in the context of users viewing the affected pages, potentially leading to session hijacking, credential theft, and other malicious activities. This can compromise user accounts and site security, especially in multi-site installations or where unfiltered_html is disabled.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the WP Job Portal plugin to a version later than 2.3.9 where the issue is fixed. Additionally, ensure that your WordPress installation is not a multi-site setup or that unfiltered_html is enabled if multi-site is necessary. Limit Editor-level access to trusted users only, and consider applying additional input sanitization or security plugins to prevent script injection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources and context do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.