CVE-2025-68070

MEDIUM
2025-12-16 [email protected]
6.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 16, 2025 - 09:16 nvd
MEDIUM 6.5

Tags

WordPress PHP XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vektor,Inc. VK Google Job Posting Manager vk-google-job-posting-manager allows Stored XSS.This issue affects VK Google Job Posting Manager: from n/a through <= 1.2.22.

Analysis

Stored cross-site scripting (XSS) in VK Google Job Posting Manager WordPress plugin versions up to 1.2.22 allows authenticated users with low privileges to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators. The vulnerability requires user interaction (clicking a link or viewing a malicious page) to trigger payload execution and affects the plugin's web page generation functionality. EPSS probability of exploitation is notably low at 0.04%, suggesting this is primarily a theoretical risk without documented active exploitation.

Technical Context

The vulnerability is a Stored XSS (CWE-79: Improper Neutralization of Input During Web Page Generation) in a WordPress plugin that manages Google Job Posting integration. Stored XSS occurs when user-supplied input is inadequately sanitized before being stored in a database and later rendered in HTML output without proper escaping. The VK Google Job Posting Manager plugin fails to properly neutralize malicious input during page generation, allowing attackers with authenticated access to inject executable JavaScript code. WordPress plugins typically run within the wp-admin or frontend context, giving XSS payloads access to sensitive data, session tokens, and administrative functions depending on the affected user's role.

Affected Products

VK Google Job Posting Manager WordPress plugin from version 1.0 through 1.2.22. The plugin is distributed via the WordPress Plugin Directory and is managed by Vektor, Inc. Detailed vulnerability information and patch status available at https://patchstack.com/database/Wordpress/Plugin/vk-google-job-posting-manager/vulnerability/wordpress-vk-google-job-posting-manager-plugin-1-2-21-cross-site-scripting-xss-vulnerability?_s_id=cve.

Remediation

Update VK Google Job Posting Manager to version 1.2.23 or later, which contains fixes for the stored XSS vulnerability. Site administrators should apply this update immediately through the WordPress plugin management interface (Plugins > Installed Plugins > Update). No workarounds are available for this stored XSS vulnerability; patching is the primary remediation. Verify the update was successful by confirming the installed version in the WordPress admin dashboard. For detailed patching instructions and confirmation of available versions, consult the official Patchstack vulnerability database entry at the reference URL provided.

Priority Score

33
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +32
POC: 0

Share

CVE-2025-68070 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy