The Jobs for WordPress plugin contains a stored XSS vulnerability caused by improper neutralization of input during web page generation. A malicious actor can inject arbitrary JavaScript into the plugin’s job‑posting input fields. When the content is stored and later rendered on the site, the embedded script executes in the browsers of any visitor to the affected page, potentially stealing session cookies, defacing content, or performing phishing attacks. The flaw is identified as CWE‑79 and provides attackers with the ability to execute code at the victim’s discretion.

BlueGlass Interactive AG’s Jobs for WordPress plugin, versions up to and including 2.7.14, are affected.

The CVSS score of 6.5 places this vulnerability in the medium severity range, while an EPSS score of less than 1% indicates a very low likelihood of exploitation in the near term. It is not listed in the CISA KEV catalog. Inferred attack vectors suggest that an adversary must first gain access to the job‑posting interface—typically via privileged WordPress user credentials—before injecting malicious payloads. The requirement for write access to the plugin’s data reduces the probability of widespread exploitation but does not eliminate risk for sites where any logged‑in user can create postings.