Description
The VK Google Job Posting Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Description field in versions up to, and including, 1.2.23 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-01-24
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Apply Upgrade
AI Analysis

Impact

The VK Google Job Posting Manager plugin for WordPress allows an authenticated author or higher to store arbitrary JavaScript in the job description field because the input is not properly sanitized or escaped before rendering. When a user views an affected job post, the injected script executes with the context of the site, potentially enabling code execution in the visitor’s browser, data theft, or session hijacking.

Affected Systems

Vektor‑Inc’s VK Google Job Posting Manager WordPress plugin, versions up to and including 1.2.23, is affected. No other product or version is listed.

Risk and Exploitability

The vulnerability has a CVSS score of 6.4, indicating a moderate severity. The EPSS score is below 1%, implying a low to very low probability of exploitation in the near term. It is not listed in the CISA KEV catalog, and exploitation requires the attacker to have author‑level or higher permissions and to trick another user into viewing the injected job description.

Generated by OpenCVE AI on April 21, 2026 at 23:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade VK Google Job Posting Manager to version 1.2.24 or later, if available.
  • If no newer release exists, implement a content filter that removes or escapes script tags from the job description field.
  • Restrict job posting capabilities so that only trusted users with elevated privileges can create or edit postings.
  • Consider disabling JavaScript execution in job description pages via CSP headers or a plugin that sanitizes output.

Generated by OpenCVE AI on April 21, 2026 at 23:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The VK Google Job Posting Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Description field in versions up to, and including, 1.2.20 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The VK Google Job Posting Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Description field in versions up to, and including, 1.2.23 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title VK Google Job Posting Manager <= 1.2.20 - Authenticated (Author+) Stored Cross-Site Scripting via Job Description Field VK Google Job Posting Manager <= 1.2.23 - Authenticated (Author+) Stored Cross-Site Scripting via Job Description Field
References

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Vektor
Vektor vk Google Job Posting Manager
Wordpress
Wordpress wordpress
Vendors & Products Vektor
Vektor vk Google Job Posting Manager
Wordpress
Wordpress wordpress

Sat, 24 Jan 2026 07:45:00 +0000

Type Values Removed Values Added
Description The VK Google Job Posting Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Description field in versions up to, and including, 1.2.20 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title VK Google Job Posting Manager <= 1.2.20 - Authenticated (Author+) Stored Cross-Site Scripting via Job Description Field
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Vektor Vk Google Job Posting Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:51:40.162Z

Reserved: 2025-11-06T19:59:33.790Z

Link: CVE-2025-12836

cve-icon Vulnrichment

Updated: 2026-01-26T15:29:35.048Z

cve-icon NVD

Status : Deferred

Published: 2026-01-24T08:16:03.870

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12836

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:00:03Z

Weaknesses