VYPR
Medium severity4.4NVD Advisory· Published Dec 12, 2025· Updated Apr 15, 2026

CVE-2025-14467

CVE-2025-14467

Description

The WP Job Portal plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.4. This is due to the plugin explicitly whitelisting the ` tag in its WPJOBPORTAL_ALLOWED_TAGS` configuration and using insufficient input sanitization when saving job descriptions. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts into job description fields via the job creation/editing interface. These scripts will execute whenever a user accesses an injected page, enabling session hijacking, credential theft, and other malicious activities.This only impacts multi-site installations, or those with unfiltered_html disabled.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.