Stored Cross-Site Scripting in WP Job Portal Plugin for WordPress
CVE-2025-14467
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 12 December 2025
What is CVE-2025-14467?
The WP Job Portal plugin for WordPress has a stored cross-site scripting vulnerability affecting versions up to 2.3.9. The issue arises from the plugin's design to whitelist the <script> tag in its WPJOBPORTAL_ALLOWED_TAGS setting, combined with inadequate input sanitization when saving job descriptions. This allows authenticated attackers with Editor-level permissions or higher to inject arbitrary scripts into the job description fields using the job creation/editing interface. When any user accesses a page with an injected job description, these scripts execute, leading to serious security risks including session hijacking and credential theft. The vulnerability primarily affects multi-site installations or those with unfiltered_html disabled.
Affected Version(s)
WP Job Portal β AI-Powered Recruitment System for Company or Job Board website * <= 2.3.9