CVE-2025-12836 is a stored cross-site scripting (XSS) vulnerability identified in the VK Google Job Posting Manager plugin for WordPress, versions up to and including 1.2.20. The vulnerability stems from improper neutralization of input during web page generation, specifically due to insufficient sanitization and escaping of user-supplied data in the Job Description field. Authenticated users with author-level or higher privileges can inject arbitrary JavaScript code into job posting pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity, with an attack vector over the network, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, impacting other users. No known exploits are currently reported in the wild. The vulnerability highlights a common weakness (CWE-79) related to cross-site scripting due to inadequate input validation and output encoding in web applications. Since the plugin is used to manage job postings, the attack surface includes any WordPress site utilizing this plugin for recruitment or job advertisement purposes.

For European organizations, this vulnerability poses a risk primarily to websites using the VK Google Job Posting Manager plugin for WordPress, especially those with multiple authors or contributors who have author-level permissions or higher. Exploitation could lead to unauthorized script execution in the browsers of site visitors or administrators, potentially compromising session tokens, stealing sensitive information, or performing unauthorized actions on behalf of users. This can damage organizational reputation, lead to data breaches, and disrupt recruitment or HR operations. The impact is particularly significant for organizations relying on their websites for job postings and candidate interactions, including public sector agencies, recruitment firms, and large enterprises with active hiring portals. Given the medium severity, the threat is moderate but should not be underestimated, especially since the scope affects other users beyond the attacker. The absence of known exploits in the wild reduces immediate risk but does not eliminate the possibility of future attacks. Organizations failing to address this vulnerability may face targeted attacks leveraging the stored XSS to escalate privileges or conduct phishing campaigns within their user base.

1. Monitor for official patches or updates from vektor-inc and apply them promptly once available. 2. Until a patch is released, restrict author-level permissions to trusted users only and audit existing users with such privileges. 3. Implement manual input validation and output encoding for the Job Description field by customizing the plugin or using WordPress security plugins that sanitize inputs and outputs. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 5. Regularly scan WordPress sites with security tools capable of detecting stored XSS vulnerabilities. 6. Educate site administrators and authors about the risks of injecting untrusted content and enforce strict content submission guidelines. 7. Consider disabling or replacing the VK Google Job Posting Manager plugin if immediate patching is not feasible. 8. Maintain regular backups and incident response plans to quickly recover from potential compromises.