Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Jobmonster noo-jobmonster allows Stored XSS.This issue affects Jobmonster: from n/a through <= 4.8.0.
Published: 2025-08-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The NooTheme Jobmonster theme contains an improper neutralization of input during page generation that allows stored cross‑site scripting. A malicious actor can embed JavaScript in data fields such as job listings or other content that the theme saves to the database. When other users view the affected pages, the embedded script executes in their browsers, giving the attacker the ability to hijack sessions, deface pages, or perform other malicious actions within the victim’s context.

Affected Systems

All WordPress sites that employ the NooTheme Jobmonster theme at version 4.8.0 or earlier are vulnerable. This includes every installation regardless of the operating system, hosting platform, or additional plugins, as the flaw resides solely in the theme’s rendering logic.

Risk and Exploitability

With a CVSS score of 6.5 the vulnerability is rated moderate severity. The EPSS score is below 1%, indicating a very low likelihood that the flaw is currently being exploited in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a stored XSS attack that requires the attacker to submit malicious content through a content creation or editing interface, which typically demands authenticated user capabilities, often administrative levels. Once the payload is stored, any subsequent page view by a user will trigger the script, exposing the site to widespread client‑side compromise.

Generated by OpenCVE AI on April 30, 2026 at 08:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jobmonster theme to any version newer than 4.8.0 as issued by the vendor.
  • Limit the ability to add or edit posts, jobs, or other content to users with only the essential capabilities, preventing unauthenticated or low‑privilege users from injecting data.
  • Validate and encode all user-supplied content before rendering. Apply WordPress functions such as wp_kses or esc_html to enforce output encoding on job descriptions and other theme‑specific fields.
  • Continuously monitor site activity logs and run automated security scans to detect anomalous script injections or XSS attempts.

Generated by OpenCVE AI on April 30, 2026 at 08:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28647 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Jobmonster allows Stored XSS. This issue affects Jobmonster: from n/a through 4.8.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Jobmonster allows Stored XSS. This issue affects Jobmonster: from n/a through 4.8.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Jobmonster noo-jobmonster allows Stored XSS.This issue affects Jobmonster: from n/a through <= 4.8.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Sat, 23 Aug 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Nootheme
Nootheme jobmonster
Wordpress
Wordpress wordpress
Vendors & Products Nootheme
Nootheme jobmonster
Wordpress
Wordpress wordpress

Fri, 22 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 Aug 2025 12:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Jobmonster allows Stored XSS. This issue affects Jobmonster: from n/a through 4.8.0.
Title WordPress Jobmonster Theme <= 4.8.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Nootheme Jobmonster
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:37.319Z

Reserved: 2025-08-22T11:35:36.401Z

Link: CVE-2025-57887

cve-icon Vulnrichment

Updated: 2025-08-22T13:03:05.342Z

cve-icon NVD

Status : Deferred

Published: 2025-08-22T12:15:32.113

Modified: 2026-04-23T15:32:57.437

Link: CVE-2025-57887

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:15:32Z

Weaknesses