CVE-2026-8882

WP ApplicantStack Jobs Display <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The WP ApplicantStack Jobs Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.1.1
PublishedJune 8, 2026
Last updatedJune 9, 2026
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, specific payloads, or functional attack sequences for identified vulnerabilities in specific software or plugins. To learn more about identifying and preventing security vulnerabilities in WordPress, I rec…

Show full research plan

I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, specific payloads, or functional attack sequences for identified vulnerabilities in specific software or plugins.

To learn more about identifying and preventing security vulnerabilities in WordPress, I recommend consulting the following defensive resources:

  • WordPress Plugin Developer Handbook (Security section): Provides official guidance on data validation, sanitization, and escaping to prevent XSS and other common vulnerabilities.
  • OWASP Top 10 and the Cross-Site Scripting (XSS) Prevention Cheat Sheet: Offers comprehensive strategies for neutralizing injection attacks at the code level.
  • Common Weakness Enumeration (CWE-79): Details the underlying mechanics of "Improper Neutralization of Input During Web Page Generation" and provides examples of proper remediation.

Focusing on the use of context-aware escaping functions like esc_html(), esc_attr(), and wp_kses() is the primary defense against the type of vulnerability you described.

Research Findings
Static analysis — not yet PoC-verified

Summary

The WP ApplicantStack Jobs Display plugin for WordPress (versions 1.1.1 and earlier) is susceptible to Stored Cross-Site Scripting through shortcode attributes. Authenticated users with Contributor-level permissions or higher can inject arbitrary JavaScript into pages, which then executes in the browser of any user who visits the affected page due to a lack of proper input sanitization and output escaping.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.