Simple Job Board < 2.9.5 – Admin+ Stored Cross-Site Scripting | CVE 2021-39328 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $job_board_privacy_policy_label variable echo’d out via the ~/admin/settings/class-simple-job-board-settings-privacy.php file which allowed attackers with administrative user access to inject arbitrary web scripts. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

Affects Plugins

simple-job-board

Fixed in 2.9.5

References

CVE

URL

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39328

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Thinkland Security Team

Verified

Yes

WPVDB ID

899ac304-b1ad-490b-8e85-fb0d9e444626

Timeline

Publicly Published

2021-10-21 (about 4 years ago)

Added

2021-10-21 (about 4 years ago)

Last Updated

2022-04-10 (about 4 years ago)

Other

Published

Title

Published

2025-02-22

Title

Popup Builder < 1.1.35 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2026-02-18

Title

YaMaps for WordPress < 0.6.41 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Parameters

Published

2026-02-09

Title

Name Directory < 1.32.1 - Unauthenticated Stored Cross-Site Scripting via Double HTML-Entity Encoding in Submission Form

Published

2024-12-16

Title

Olivia <= 0.9.5 - Reflected Cross-Site Scripting

Published

2023-10-18

Title

Mendeley <= 1.3.4 - Admin+ Stored XSS