CVE-2025-14467

Name of the Vulnerable Software and Affected Versions WP Job Portal versions prior to 2.3.9

Description The WP Job Portal plugin for WordPress is susceptible to Stored Cross-Site Scripting in all versions up to and including 2.3.9. The issue stems from the plugin explicitly allowing the <script> tag in its WPJOBPORTAL ALLOWED TAGS configuration and inadequate input sanitization when saving job descriptions. This allows authenticated attackers with Editor-level access or higher to inject arbitrary web scripts into job description fields through the job creation/editing interface. These scripts execute when a user accesses the affected page, potentially enabling session hijacking and credential theft. This impacts multi-site installations or those with unfiltered html disabled.

Recommendations Update to a version of WP Job Portal later than 2.3.9.