WordPress ApplyOnline – Application Form Builder and Manager Plugin <= 2.5 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the Spider Teams ApplyOnline plugin for WordPress, affecting versions 2.5 and earlier. The flaw allows authenticated users with administrator-level privileges to inject arbitrary JavaScript into the application, which is then stored and executed when other administrators view the affected pages. The vulnerability is present in the plugin's admin interface, likely through unsanitized input fields used for form or ad configuration [1].

Exploitation

An attacker must have an administrator account on the WordPress site. With that access, they can craft a malicious payload (e.g., JavaScript code) and inject it into a vulnerable input field within the ApplyOnline plugin's settings or ad creation forms. The payload is stored in the database and subsequently rendered without proper sanitization, executing in the browsers of other admin users who visit the affected pages. No additional user interaction beyond viewing the page is required [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the WordPress admin dashboard. This can lead to session hijacking, defacement, theft of sensitive data (such as cookies or admin credentials), or further privilege escalation by performing actions on behalf of the victim admin. The scope of compromise is limited to the admin interface, but it can be used to compromise the entire site if the attacker gains full administrative control [1].

Mitigation

The vulnerability is fixed in version 2.6 or later of the ApplyOnline plugin. Users should update to the latest version (2.6.8.1 as of the reference) immediately. No workaround is available for older versions. The plugin remains actively maintained, and the vendor has addressed the issue in subsequent releases [1].