The vulnerability is a classic stored cross‑site scripting flaw. Improper neutralization of input during web page generation allows an attacker to inject malicious script into job postings created through the HireHive Job Plugin. Once injected, the script runs in the browsers of any user who views the affected job entry, potentially stealing credentials, hijacking sessions, or defacing the site. The weakness is identified as CWE‑79. The impact is limited to the scope of the affected plugin and any web pages that display its content.

The affected component is the WordPress HireHive Job Plugin provided by zartis. All product releases up to and including version 2.9.0 are vulnerable. No specific sub‑versions are listed, so any deployment of the plugin at a version less than or equal to 2.9.0 is at risk.

The CVSS score of 6.5 indicates medium severity. The EPSS score of < 1% means that at the time of analysis the likelihood of exploitation in the wild is very low, and the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is through the web interface of the plugin where authenticated or even unauthenticated users can create or edit job postings, enabling an attacker to embed malicious code that persists after page refresh. However, detailed prerequisites for exploitation are not described in the supplied data, so the exact conditions remain uncertain.