The WP Job Portal plugin for WordPress, widely used for AI-powered recruitment and job board websites, suffers from a stored cross-site scripting vulnerability identified as CVE-2025-14467. This vulnerability exists in all versions up to and including 2.3.9 due to the plugin's explicit whitelisting of the <script> HTML tag within its WPJOBPORTAL_ALLOWED_TAGS configuration. Additionally, the plugin performs insufficient sanitization of job description inputs when saving data. As a result, authenticated users with Editor-level access or higher can inject arbitrary JavaScript code into job description fields via the job creation or editing interface. When other users access these injected pages, the malicious scripts execute in their browsers, potentially enabling session hijacking, credential theft, or other malicious actions. This vulnerability specifically impacts WordPress multisite installations or sites where the unfiltered_html capability is disabled, as these configurations normally restrict script injection. The vulnerability has a CVSS 3.1 base score of 4.4, indicating medium severity, with network attack vector, high attack complexity, required privileges at the high level, no user interaction, and a scope change. No public exploits have been reported to date. The root cause is the plugin's flawed input validation and overly permissive HTML tag allowance, which violates secure coding practices for web content generation and input neutralization (CWE-79).

This vulnerability allows attackers with Editor-level privileges or higher to inject persistent malicious scripts into job descriptions, which execute in the browsers of users who view these pages. The impact includes potential session hijacking, credential theft, unauthorized actions performed on behalf of users, and possible further exploitation of the affected WordPress site or user accounts. Since the vulnerability requires authenticated access with elevated privileges, the risk is somewhat limited to insider threats or compromised accounts. However, in multi-user environments such as recruitment platforms or job boards, the ability to execute arbitrary scripts can lead to significant data breaches and loss of user trust. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting the entire WordPress site or network. Organizations relying on WP Job Portal for recruitment or job board functionality may face reputational damage, regulatory compliance issues, and operational disruption if exploited. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability is public.

Organizations should immediately review and restrict Editor-level and higher user privileges to trusted personnel only, minimizing the risk of malicious script injection. Until a patched version of the WP Job Portal plugin is released, administrators should consider disabling or limiting the plugin's use, especially on multisite WordPress installations or those with unfiltered_html disabled. Implement additional input validation and sanitization controls on job description fields, either via custom code or security plugins that enforce strict HTML tag filtering and disallow <script> tags. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. Monitor logs and user activity for suspicious behavior indicative of attempted script injection. Regularly update WordPress core, plugins, and themes to incorporate security patches promptly once available. Conduct security awareness training for users with elevated privileges to recognize and avoid risky actions. Finally, consider deploying web application firewalls (WAFs) with rules targeting XSS payloads to provide an additional layer of defense.