CVE-2025-14467

MEDIUM 4.4

WP Job Portal <= 2.4.4 - Authenticated (Editor+) Stored Cross-Site Scripting via Job Description Field

CVSS Score

4.4

EPSS Score

0.0%

EPSS Percentile

0th

The WP Job Portal plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.4. This is due to the plugin explicitly whitelisting the `<script>` tag in its `WPJOBPORTAL_ALLOWED_TAGS` configuration and using insufficient input sanitization when saving job descriptions. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts into job description fields via the job creation/editing interface. These scripts will execute whenever a user accesses an injected page, enabling session hijacking, credential theft, and other malicious activities.This only impacts multi-site installations, or those with unfiltered_html disabled.

CWE	CWE-79
Vendor	wpjobportal
Product	wp job portal – ai-powered recruitment system for company or job board website
Published	Dec 12, 2025
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for wpjobportal wp job portal – ai-powered recruitment system for company or job board website

Be the first to know when new medium vulnerabilities affecting wpjobportal wp job portal – ai-powered recruitment system for company or job board website are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

wpjobportal / WP Job Portal – AI-Powered Recruitment System for Company or Job Board website

0 ≤ 2.3.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

Credits

Long Nguyen