The WP Job Portal plugin for WordPress, up to version 2.4.4, suffers from a stored cross-site scripting vulnerability (CWE-79) due to explicit whitelisting of the <script> tag in its WPJOBPORTAL_ALLOWED_TAGS configuration combined with insufficient input sanitization of job descriptions. Authenticated users with Editor-level or higher privileges can inject arbitrary JavaScript code into job description fields via the job creation or editing interface. This malicious code executes in the context of users viewing the injected job pages, enabling attacks such as session hijacking and credential theft. The vulnerability specifically impacts multi-site WordPress installations or those with unfiltered_html disabled. The CVSS 3.1 base score is 4.4, reflecting a medium severity with network attack vector, high attack complexity, and required privileges.

Successful exploitation allows authenticated users with Editor-level or higher privileges to inject persistent malicious scripts into job description fields. These scripts execute in the browsers of users who view the affected job pages, potentially leading to session hijacking, credential theft, or other malicious actions. The impact is limited to multi-site WordPress installations or those with unfiltered_html disabled. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should restrict Editor-level access to trusted users only and consider disabling multi-site features or enabling unfiltered_html to mitigate risk. Monitoring for suspicious script injections in job descriptions is advisable. Avoid using vulnerable versions of the plugin in environments where multi-site or unfiltered_html restrictions apply.