Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Astoundify Job Colors for WP Job Manager wp-job-manager-colors allows Stored XSS.This issue affects Job Colors for WP Job Manager: from n/a through <= 1.0.4.
Published: 2025-03-27
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to inject malicious JavaScript into data that is later rendered on the site, resulting in a stored XSS flaw. By inserting harmful payloads into the plugin’s color settings, an attacker could target any user who views the affected page, potentially stealing credentials, session tokens, or delivering phishing content. This flaw is categorized as CWE‑79 and poses a moderate risk to confidentiality and integrity of user sessions.

Affected Systems

Astoundify:Job Colors for WP Job Manager is affected in all releases from the earliest available version through version 1.0.4. The plugin is a WordPress extension that manages job listings and color formatting. Any WordPress site using this plugin without updating beyond 1.0.4 is vulnerable.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at this time. The flaw is not listed in CISA’s KEV catalog. Exploitation requires the attacker to supply malicious input through the plugin’s interface, which is then stored and later served to browsers. The likely attack vector is web‑based interaction with the plugin’s settings page where the injected script can persist and execute in victim browsers.

Generated by OpenCVE AI on May 1, 2026 at 03:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Job Colors for WP Job Manager to version 1.0.5 or later to remove the XSS flaw.
  • If an upgrade cannot be performed immediately, deactivate or uninstall the Job Colors plugin to prevent exploitation.
  • Manually review and clean any stored color settings that may contain malicious code before re‑enabling the plugin in a secure environment.

Generated by OpenCVE AI on May 1, 2026 at 03:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8528 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Astoundify Job Colors for WP Job Manager allows Stored XSS.This issue affects Job Colors for WP Job Manager: from n/a through 1.0.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Astoundify Job Colors for WP Job Manager allows Stored XSS.This issue affects Job Colors for WP Job Manager: from n/a through 1.0.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Astoundify Job Colors for WP Job Manager wp-job-manager-colors allows Stored XSS.This issue affects Job Colors for WP Job Manager: from n/a through <= 1.0.4.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Fri, 28 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 22:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Astoundify Job Colors for WP Job Manager allows Stored XSS.This issue affects Job Colors for WP Job Manager: from n/a through 1.0.4.
Title WordPress Job Colors for WP Job Manager plugin <= 1.0.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:03.962Z

Reserved: 2025-03-26T09:23:14.825Z

Link: CVE-2025-31031

cve-icon Vulnrichment

Updated: 2025-03-28T15:58:58.463Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T23:15:35.850

Modified: 2026-04-23T15:27:34.687

Link: CVE-2025-31031

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T03:45:07Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')