Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Subscriber account required (PR:L), victim must render content (UI:R), scope changes to victim browser (S:C); availability impact omitted (A:N) as XSS does not cause system unavailability.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Cross Site Scripting (XSS) in WP Job Portal <= 2.5.2 versions.
AnalysisAI
Stored Cross-Site Scripting in WP Job Portal WordPress plugin versions up to and including 2.5.2 allows authenticated Subscriber-level users to inject persistent malicious JavaScript payloads that execute in other users' browsers, including administrators. The CVSS S:C scope change confirms the injected script crosses the security boundary into victims' browser sessions, enabling session hijacking or unauthorized administrative actions. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege requirement makes this realistic on open-registration WordPress job-board deployments.
Technical ContextAI
WP Job Portal is a WordPress plugin for job listing and applicant management (CPE: cpe:2.3:a:ahmad:wp_job_portal:*:*:*:*:*:*:*:*). CWE-79 (Improper Neutralization of Input During Web Page Generation) identifies the root cause as insufficient sanitization or escaping of user-supplied input - likely in job application fields, profile data, or submission forms - before the data is stored and later rendered to other users. The 'Subscriber' label in the vulnerability name explicitly identifies the WordPress role tier at which the flaw is reachable, which is the default lowest-privilege authenticated role. The CVSS S:C scope change is the defining characteristic of Stored XSS: the malicious payload persists in the database and executes in a different security context (the victim's browser), making it categorically more dangerous than Reflected XSS. Reported by Patchstack and also tracked as EUVD-2026-36855.
RemediationAI
Update WP Job Portal to a version beyond 2.5.2 as soon as one is available; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-plugin-2-5-2-cross-site-scripting-xss-vulnerability for the confirmed patched release version, as the exact fix version was not specified in available data. If an update is not immediately available or deployable, disable open user registration on the WordPress site to prevent untrusted parties from obtaining Subscriber accounts - note this will block legitimate job seekers from self-registering and may impact the plugin's core use case. As an additional compensating control, deploy a Web Application Firewall with XSS filtering rules to intercept common payload patterns in form submissions; this is not a complete mitigation but reduces opportunistic exploitation. Administrators should also review existing Subscriber-level user accounts for suspicious activity.
More in Wp Job Portal
View allThe WP Job Portal WordPress plugin before 2.0.6 does not sanitise and escape a parameter before using it in a SQL statem
The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to
The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to
Missing authorization in WP Job Portal WordPress plugin before 2.5.5 allows any self-registered subscriber to approve, f
Blind SQL injection in the WP Job Portal WordPress plugin (versions up to and including 2.5.1) allows remote unauthentic
The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email fo
The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to
Reflected cross-site scripting in the WP Job Portal WordPress plugin (versions up to and including 2.5.1) allows remote
Missing Authorization vulnerability in WP Job Portal WP Job Portal - A Complete Job Board.0.1. Rated medium severity (CV
The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to
The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to
The WP Job Portal - A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36855
GHSA-43cg-66pp-26g8