CVE-2026-48880

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the WP Job Portal plugin for WordPress versions 2.5.2 and earlier. The flaw allows authenticated users with subscriber-level access to inject arbitrary HTML and JavaScript into the application, likely through post or profile fields that are not properly sanitized. The injected payload is stored and later executed when other users, including administrators and visitors, view the affected page [1].

Exploitation

An attacker must first have a subscriber account on the target WordPress site. They then craft a malicious payload and submit it via a vulnerable input field. However, successful exploitation of the stored payload requires a privileged user (e.g., administrator or editor) to perform an action such as clicking a crafted link, visiting a specially prepared page, or submitting a form that triggers the execution of the injected script. Without this user interaction, the stored script may not be rendered in a context where it executes [1].

Impact

Once triggered, the injected script can perform actions on behalf of the victim's browser, including redirecting visitors to malicious sites, displaying unauthorized advertisements, stealing session cookies, or defacing the site. The attack affects all site visitors who view the compromised page, leading to potential data theft and damage to the site's reputation [1].

Mitigation

The vendor has released version 2.5.3 which fixes the vulnerability. All users should update to 2.5.3 or later immediately. As a temporary workaround, Patchstack provides a mitigation rule that blocks attacks until the update is applied. If updating is not possible, site administrators should restrict subscriber-level access or disable the plugin until a patch can be installed [1].