The WP Job Portal plugin for WordPress, widely used for AI-powered recruitment systems on company or job board websites, suffers from a stored cross-site scripting vulnerability identified as CVE-2025-14467. This vulnerability exists in all versions up to and including 2.3.9 due to the plugin's explicit whitelisting of the <script> HTML tag in its WPJOBPORTAL_ALLOWED_TAGS configuration combined with insufficient sanitization of user input when saving job descriptions. An attacker with authenticated Editor-level access or higher can inject arbitrary JavaScript code into job description fields via the job creation or editing interface. Because the injected scripts are stored and rendered when any user accesses the affected job posting page, the malicious code executes in the context of the victim’s browser. This can lead to session hijacking, credential theft, and other client-side attacks. The vulnerability specifically impacts multisite WordPress installations or those with the unfiltered_html capability disabled, which restricts users from posting unfiltered HTML. The CVSS 3.1 score is 4.4, indicating medium severity, with the vector showing network attack vector, high attack complexity, requiring privileges, no user interaction, and a scope change. No public exploits have been reported yet, but the vulnerability poses a risk in environments where multiple users have elevated privileges and where job postings are publicly accessible. The lack of a patch link suggests that remediation may require plugin updates or configuration changes by site administrators.

For European organizations, especially those operating recruitment platforms or job boards using the WP Job Portal plugin in multisite WordPress environments, this vulnerability can lead to significant security risks. Attackers with Editor-level access can inject malicious scripts that execute in the browsers of site visitors or other users, potentially leading to session hijacking and credential theft. This can compromise user accounts, including those of HR personnel or job applicants, leading to unauthorized access to sensitive personal data and internal systems. The impact extends to reputational damage, regulatory non-compliance (e.g., GDPR violations due to data breaches), and operational disruption. Since the vulnerability requires authenticated access with elevated privileges, insider threats or compromised editor accounts are primary risk vectors. The medium CVSS score reflects moderate risk but should not be underestimated given the sensitive nature of recruitment data and the potential for lateral movement within affected networks.

European organizations should immediately audit their WordPress installations to identify the use of the WP Job Portal plugin, particularly in multisite configurations or where unfiltered_html is disabled. Until an official patch is released, administrators should restrict Editor-level privileges to trusted users only and consider temporarily disabling the plugin or limiting job description input capabilities. Implementing a Web Application Firewall (WAF) with custom rules to detect and block script tags or suspicious payloads in job descriptions can reduce exploitation risk. Additionally, enabling Content Security Policy (CSP) headers to restrict script execution sources can mitigate the impact of injected scripts. Regularly monitoring logs for unusual activity related to job postings and user privilege escalations is advised. Once a patch becomes available, prompt application is critical. Educating users with elevated privileges about the risks of injecting untrusted content and enforcing strong authentication mechanisms will further reduce risk.