Description
The Job Board by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.1. This is due to the plugin storing the entire unsanitized `$_GET` superglobal array directly into the database via `update_user_meta()` when users save search results, and later outputting this data without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever a user accesses the saved search or views their profile, granted they can trick the user into performing the search and saving the results.
Published: 2025-11-25
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The vulnerability arises because the Job Board by BestWebSoft plugin stores the entire unsanitized $_GET superglobal array in user meta data via update_user_meta(). When a user later views the saved search or profile, this data is rendered without escaping, allowing arbitrary JavaScript injection. An attacker can craft a GET request containing malicious code, trick a victim into performing a search and saving it, and then the script executes in the victim’s browser, potentially stealing session cookies, defacing content, or redirecting users to phishing sites. The flaw does not allow direct server‑side code execution; its impact is limited to the victim’s browser context.

Affected Systems

WordPress installations using the Job Board by BestWebSoft plugin version 1.2.1 or earlier are affected. No additional vendor or product versions are listed, but any version up to and including 1.2.1 shares the same insecure logic.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the vulnerability is not currently listed in CISA’s KEV catalog. The likely attack vector requires an unauthenticated attacker to manipulate a target user’s GET parameters and rely on that user to perform a search and save it; the attack does not involve direct authentication or phishing of the attacker’s own credentials. The risk remains significant for sites that commonly allow users to save searches, as an attacker could inject a large number of malicious scripts hidden within stored data.

Generated by OpenCVE AI on April 22, 2026 at 16:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Job Board by BestWebSoft to a version newer than 1.2.1 that implements proper sanitization for the $_GET array before storing it.
  • If an immediate upgrade is not possible, remove or disable the functionality that writes the GET array to user meta; for example, patch the plugin file to sanitize the data or delete the update_user_meta call.
  • Perform a database review to locate and delete any stored user meta entries that contain unsanitized GET data, then refresh the site to ensure no lingering scripts remain.

Generated by OpenCVE AI on April 22, 2026 at 16:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
References

Mon, 01 Dec 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Bestwebsoft
Bestwebsoft job Board
Wordpress
Wordpress wordpress
Vendors & Products Bestwebsoft
Bestwebsoft job Board
Wordpress
Wordpress wordpress

Tue, 25 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 25 Nov 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Job Board by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.1. This is due to the plugin storing the entire unsanitized `$_GET` superglobal array directly into the database via `update_user_meta()` when users save search results, and later outputting this data without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever a user accesses the saved search or views their profile, granted they can trick the user into performing the search and saving the results.
Title Job Board by BestWebSoft <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via $_GET Array Storage
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Bestwebsoft Job Board
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:40:51.514Z

Reserved: 2025-11-18T20:43:02.420Z

Link: CVE-2025-13383

cve-icon Vulnrichment

Updated: 2025-11-25T16:38:26.114Z

cve-icon NVD

Status : Deferred

Published: 2025-11-25T08:15:50.443

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13383

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:45:21Z

Weaknesses