Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ahmad WP Job Portal allows Reflected XSS.
This issue affects WP Job Portal: from n/a through 2.5.1.
AnalysisAI
Reflected cross-site scripting in the WP Job Portal WordPress plugin (versions up to and including 2.5.1) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after they click a crafted link. The flaw has CVSS 7.1 elevated by scope change (S:C), meaning script execution can impact resources beyond the vulnerable component, such as the WordPress admin session. No public exploit identified at time of analysis and no CISA KEV listing.
Technical ContextAI
WP Job Portal is a WordPress plugin (CPE cpe:2.3:a:ahmad:wp_job_portal) by author Ahmad that provides job board and recruitment functionality for WordPress sites. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), where user-controlled input from an HTTP request parameter is reflected back into a generated HTML response without sufficient output encoding or contextual escaping. Because the payload is reflected rather than stored, exploitation requires the attacker to deliver the malicious URL to a victim and have them load it in a browser session against the vulnerable site.
RemediationAI
No vendor-released patched version is independently confirmed in the available data; administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-plugin-2-5-1-cross-site-scripting-xss-vulnerability for the latest fixed release and upgrade WP Job Portal beyond 2.5.1 once that release is published. In the interim, deactivate the WP Job Portal plugin if the job board feature is non-essential (trade-off: job listings will be unavailable to site visitors), or place a Web Application Firewall rule in front of the site to filter reflected XSS payloads on the plugin's request parameters (trade-off: WAF signature gaps may still permit obfuscated payloads). Additionally, restrict administrator browsing habits by enforcing a Content Security Policy that disallows inline scripts on the WordPress site to reduce the impact of any successful reflection (trade-off: may break legitimate plugins or themes that rely on inline JavaScript).
More in Wp Job Portal
View allThe WP Job Portal WordPress plugin before 2.0.6 does not sanitise and escape a parameter before using it in a SQL statem
The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to
The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to
Missing authorization in WP Job Portal WordPress plugin before 2.5.5 allows any self-registered subscriber to approve, f
Blind SQL injection in the WP Job Portal WordPress plugin (versions up to and including 2.5.1) allows remote unauthentic
The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email fo
The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to
Stored Cross-Site Scripting in WP Job Portal WordPress plugin versions up to and including 2.5.2 allows authenticated Su
Missing Authorization vulnerability in WP Job Portal WP Job Portal - A Complete Job Board.0.1. Rated medium severity (CV
The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to
The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to
The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33910
GHSA-w29x-75gh-2g79