The Apply with LinkedIn buttons plugin for WordPress contains an improper neutralization of input during web page generation, which allows a DOM‑based Cross‑Site Scripting (XSS) flaw. This flaw means that unescaped user‑supplied data can be rendered by the browser, enabling an attacker to execute arbitrary JavaScript in the context of any user who views the affected page. The directly stated impact is potential client‑side script execution that can modify the page view or carry out actions on behalf of the user.

WordPress sites that have ivobrett’s Apply with LinkedIn buttons plugin installed in any version from its initial release through 2.3 (inclusive) are susceptible. The vulnerability exists in the plugin’s front‑end rendering code and does not require administrative privileges on the site.

With a CVSS score of 6.5 the flaw presents a moderate risk. The EPSS score of less than 1 % and the fact that the vulnerability is not recorded in the CISA KEV catalog suggest that widespread exploitation is unlikely at this time. Based on the nature of DOM‑based XSS, the likely attack vector is a maliciously crafted web page or link that the user visits, which could be delivered through social engineering or embedding on a third‑party site; this inference is drawn from the requirement that the browser must render the vulnerable code.