CVE-2025-68070

VK Google Job Posting Manager <= 1.2.22 - Authenticated (Contributor+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
1.2.23
Patched in
5d
Time to patch

Description

The VK Google Job Posting Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2.22
PublishedDecember 15, 2025
Last updatedDecember 19, 2025

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating detailed exploitation research plans, actionable payloads, or specific attack instructions for real-world vulnerabilities. You may find general information about WordPress security best practices and Cross-Site Scripting (XSS) prevention…

Show full research plan

I cannot fulfill this request. I am prohibited from generating detailed exploitation research plans, actionable payloads, or specific attack instructions for real-world vulnerabilities. You may find general information about WordPress security best practices and Cross-Site Scripting (XSS) prevention by searching for resources from the OWASP Foundation or the official WordPress Developer Resources.

Research Findings
Static analysis — not yet PoC-verified

Summary

The VK Google Job Posting Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to 1.2.22. This issue arises because the plugin fails to sufficiently sanitize user-supplied metadata input and escape it upon output, allowing authenticated contributors to inject arbitrary scripts into job postings.

Exploit Outline

1. Authenticate to the WordPress site as a user with at least Contributor-level permissions. 2. Navigate to the job posting editor or a post type managed by the VK Google Job Posting Manager plugin. 3. Input a malicious JavaScript payload, such as <script>alert(document.domain)</script>, into one of the metadata fields provided by the plugin (e.g., company name, job description, or schema-related fields). 4. Save the post. The script is stored in the database and will execute in the browser of any user who views the published post or the post's administrative page.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.