Skip to main content

WP Job Portal CVE-2026-42685

| EUVDEUVD-2026-33910 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-02 Patchstack GHSA-w29x-75gh-2g79
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 02, 2026 - 11:50 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ahmad WP Job Portal allows Reflected XSS.

This issue affects WP Job Portal: from n/a through 2.5.1.

AnalysisAI

Reflected cross-site scripting in the WP Job Portal WordPress plugin (versions up to and including 2.5.1) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after they click a crafted link. The flaw has CVSS 7.1 elevated by scope change (S:C), meaning script execution can impact resources beyond the vulnerable component, such as the WordPress admin session. No public exploit identified at time of analysis and no CISA KEV listing.

Technical ContextAI

WP Job Portal is a WordPress plugin (CPE cpe:2.3:a:ahmad:wp_job_portal) by author Ahmad that provides job board and recruitment functionality for WordPress sites. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), where user-controlled input from an HTTP request parameter is reflected back into a generated HTML response without sufficient output encoding or contextual escaping. Because the payload is reflected rather than stored, exploitation requires the attacker to deliver the malicious URL to a victim and have them load it in a browser session against the vulnerable site.

RemediationAI

No vendor-released patched version is independently confirmed in the available data; administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-plugin-2-5-1-cross-site-scripting-xss-vulnerability for the latest fixed release and upgrade WP Job Portal beyond 2.5.1 once that release is published. In the interim, deactivate the WP Job Portal plugin if the job board feature is non-essential (trade-off: job listings will be unavailable to site visitors), or place a Web Application Firewall rule in front of the site to filter reflected XSS payloads on the plugin's request parameters (trade-off: WAF signature gaps may still permit obfuscated payloads). Additionally, restrict administrator browsing habits by enforcing a Content Security Policy that disallows inline scripts on the WordPress site to reduce the impact of any successful reflection (trade-off: may break legitimate plugins or themes that rely on inline JavaScript).

CVE-2023-4490 CRITICAL POC
9.8 Sep 25

The WP Job Portal WordPress plugin before 2.0.6 does not sanitise and escape a parameter before using it in a SQL statem

CVE-2024-11715 CRITICAL
9.8 Dec 14

The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to

CVE-2024-7950 CRITICAL
9.8 Sep 04

The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to

CVE-2026-12396 MEDIUM POC
5.4 Jul 13

Missing authorization in WP Job Portal WordPress plugin before 2.5.5 allows any self-registered subscriber to approve, f

CVE-2026-42684 CRITICAL
9.3 Jun 02

Blind SQL injection in the WP Job Portal WordPress plugin (versions up to and including 2.5.1) allows remote unauthentic

CVE-2026-12397 MEDIUM POC
4.3 Jul 13

The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email fo

CVE-2024-11711 HIGH
7.5 Dec 14

The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to

CVE-2026-48880 MEDIUM
6.5 Jun 15

Stored Cross-Site Scripting in WP Job Portal WordPress plugin versions up to and including 2.5.2 allows authenticated Su

CVE-2022-41786 MEDIUM
5.4 Jan 17

Missing Authorization vulnerability in WP Job Portal WP Job Portal - A Complete Job Board.0.1. Rated medium severity (CV

CVE-2024-11712 MEDIUM
5.3 Dec 14

The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to

CVE-2024-11714 MEDIUM
4.9 Dec 14

The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to

CVE-2024-11713 MEDIUM
4.9 Dec 14

The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to

Share

CVE-2026-42685 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy