The WP Job Portal plugin for WordPress, widely used for AI-powered recruitment systems on company or job board websites, suffers from a stored cross-site scripting vulnerability identified as CVE-2025-14467. This vulnerability exists in all versions up to and including 2.3.9 due to the plugin's explicit whitelisting of the <script> HTML tag in its WPJOBPORTAL_ALLOWED_TAGS configuration. Additionally, the plugin fails to sufficiently sanitize input when saving job descriptions, allowing malicious scripts to be stored persistently. An attacker with authenticated Editor-level or higher privileges can inject arbitrary JavaScript code into job description fields via the job creation or editing interface. Because the malicious scripts are stored, they execute whenever any user accesses the injected job posting page, potentially leading to session hijacking, credential theft, or other malicious activities. This vulnerability is limited to multi-site WordPress installations or those with the unfiltered_html capability disabled, as single-site installations with unfiltered_html enabled would prevent such injections. The CVSS 3.1 base score is 4.4 (medium severity), reflecting network attack vector, high attack complexity, required privileges at the editor level, no user interaction, and partial confidentiality and integrity impact. No public exploits are currently known, but the vulnerability poses a risk especially in environments where multiple users with elevated privileges manage job postings.

For European organizations using WordPress with the WP Job Portal plugin, this vulnerability could lead to unauthorized script execution within their recruitment portals. This can result in session hijacking of logged-in users, theft of credentials, and potential lateral movement within the organization's web infrastructure. Given the nature of recruitment portals, attackers might also manipulate job postings to spread malware or phishing links to visitors or employees. The impact is particularly significant for multi-site WordPress deployments common in larger enterprises or agencies managing multiple client sites. Confidentiality and integrity of user sessions and data are at risk, though availability is not directly impacted. The requirement for Editor-level privileges limits the attack surface but insider threats or compromised editor accounts increase risk. Organizations handling sensitive candidate data or internal hiring processes could face reputational damage and regulatory compliance issues under GDPR if personal data is exposed or manipulated.

European organizations should immediately audit their WordPress installations for the WP Job Portal plugin version and update to a patched version once available. Until a patch is released, restrict Editor-level and higher privileges to trusted users only and monitor for suspicious activity in job postings. Implement web application firewall (WAF) rules to detect and block script injection attempts in job description fields. Enable Content Security Policy (CSP) headers to restrict execution of unauthorized scripts on recruitment pages. Regularly review and sanitize user-generated content manually if automated sanitization is insufficient. For multi-site installations, consider disabling the plugin on sites where it is not essential. Conduct security awareness training for editors and administrators about the risks of XSS and safe content management practices. Finally, monitor logs for unusual access patterns or script execution errors that could indicate exploitation attempts.