WordPress Plugin Vulnerabilities

WpGenius Job Listing <= 1.0.2 - Admin+ Stored Cross-Site Scripting

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/src/admin/class/class-wpgenious-job-listing-options.php file which allowed attackers with administrative user access to inject arbitrary web scripts. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

Affects Plugins

Plugin icon
wpgenious-job-listing
No known fix

References

CVE
CVE-2021-39335
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39335

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Thinkland Security Team
Verified
No
WPVDB ID
7c81a237-30cf-4936-9528-064de31340db

Timeline

Publicly Published
2021-10-14 (about 4 years ago)
Added
2021-10-15 (about 4 years ago)
Last Updated
2026-02-18 (about 2 months ago)

Other

Published
Title
Published
2024-12-11
Title
WP Service Payment Form With Authorize.net <= 2.6.3 - Reflected Cross-Site Scripting
Published
2024-07-11
Title
WP Event Aggregator < 1.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-09-26
Title
OSM < 6.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via osm_map and osm_map_v3 Shortcodes
Published
2025-01-06
Title
WC Affiliate < 2.4 - Reflected XSS
Published
2024-12-02
Title
Magical Addons For Elementor < 1.3.7 - Contributor+ Stored XSS