CVE-2025-13383 is a stored cross-site scripting (XSS) vulnerability affecting all versions up to and including 1.2.1 of the Job Board by BestWebSoft plugin for WordPress. The root cause is the plugin's unsafe handling of user input: it stores the entire unsanitized $_GET superglobal array directly into the WordPress user meta database table using the update_user_meta() function when users save search results. Later, this data is outputted to web pages without proper escaping or sanitization, allowing malicious JavaScript code injected by an attacker to execute in the context of any user who views the saved search or their profile. The vulnerability does not require authentication, meaning an unauthenticated attacker can exploit it by tricking users into saving malicious search queries. The CVSS 3.1 base score is 6.1, indicating a medium severity vulnerability with network attack vector, low attack complexity, no privileges required, but requiring user interaction. The impact affects confidentiality and integrity by enabling script execution that could steal cookies, perform actions on behalf of the user, or manipulate displayed content, but does not affect availability. No known exploits are currently reported in the wild. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). No official patches have been linked yet, so mitigation relies on input validation, output escaping, or disabling the affected functionality until a patch is available.

This vulnerability can lead to unauthorized script execution in the browsers of users who view saved search results or profiles containing malicious payloads. Potential impacts include theft of session cookies, enabling account takeover, unauthorized actions performed on behalf of users, defacement of web pages, and distribution of malware. Since the plugin is used in WordPress environments, which often serve as public-facing job boards or recruitment portals, exploitation could damage organizational reputation and user trust. The lack of authentication requirement lowers the barrier for attackers, increasing the risk of widespread exploitation. However, the need for user interaction (saving malicious search results) somewhat limits automated mass exploitation. Organizations relying on this plugin may face data confidentiality breaches and integrity violations, especially if users have elevated privileges or sensitive information is accessible via the affected pages.

1. Immediately audit and sanitize all user input before storage, especially data derived from $_GET parameters. Implement strict input validation to allow only expected characters and formats. 2. Apply proper output encoding/escaping (e.g., HTML entity encoding) when rendering stored data to prevent script execution. 3. Disable or restrict the 'save search results' feature until a vendor patch is released. 4. Monitor user meta data for suspicious or unexpected entries that may indicate exploitation attempts. 5. Educate users to avoid saving search results from untrusted sources or clicking suspicious links that could trigger malicious payloads. 6. Employ Content Security Policy (CSP) headers to limit the impact of injected scripts. 7. Keep WordPress core and all plugins updated; apply vendor patches promptly once available. 8. Consider using web application firewalls (WAFs) with rules to detect and block XSS payloads targeting this plugin. 9. Review user permissions to limit exposure if exploitation occurs. 10. Conduct regular security assessments and code reviews for custom or third-party plugins.