What the vulnerability does
01Description
The Job Board by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.1. This is due to the plugin storing the entire unsanitized `$_GET` superglobal array directly into the database via `update_user_meta()` when users save search results, and later outputting this data without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever a user accesses the saved search or views their profile, granted they can trick the user into performing the search and saving the results.
Explanation of Vulnerability in Simple Terms
02Summary
Job Board by BestWebSoft versions 1.2.1 and earlier contain a cross-site scripting (XSS) vulnerability. An attacker can inject malicious scripts that execute in a victim's browser when they visit a crafted link or page. The vulnerability affects the site's integrity and can expose user data, but does not impact availability.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that run in visitors' browsers to steal data or perform actions on their behalf.
Potential impact on your site
04Site Impact
Visitors' sessions and data can be compromised; site reputation and user trust may be damaged.
Conditions required to exploit
05Prerequisites
Victim must click a malicious link or visit an attacker-controlled page; no authentication required.
Key dates
06Disclosure timeline
November 25, 2025
CVE published
April 8, 2026
Record updated
