{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12836", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-06T19:59:33.790Z", "datePublished": "2026-01-24T07:26:41.692Z", "dateUpdated": "2026-04-08T16:51:40.162Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:40.162Z"}, "affected": [{"vendor": "vektor-inc", "product": "VK Google Job Posting Manager", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.23", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The VK Google Job Posting Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Description field in versions up to, and including, 1.2.23 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "VK Google Job Posting Manager <= 1.2.23 - Authenticated (Author+) Stored Cross-Site Scripting via Job Description Field", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e0fd492-19ee-430e-a495-99ad28043bf9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/vk-google-job-posting-manager/tags/1.2.20/vk-google-job-posting-manager.php#L419"}, {"url": "https://plugins.trac.wordpress.org/browser/vk-google-job-posting-manager/tags/1.2.20/vk-google-job-posting-manager.php#L468"}, {"url": "https://plugins.trac.wordpress.org/changeset/3449302/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2026-01-23T19:16:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T15:29:07.920029Z", "id": "CVE-2025-12836", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T15:45:33.120Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12836", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T15:29:07.920029Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T15:29:35.048Z"}}], "cna": {"title": "VK Google Job Posting Manager <= 1.2.23 - Authenticated (Author+) Stored Cross-Site Scripting via Job Description Field", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "vektor-inc", "product": "VK Google Job Posting Manager", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.23"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-23T19:16:27.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e0fd492-19ee-430e-a495-99ad28043bf9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/vk-google-job-posting-manager/tags/1.2.20/vk-google-job-posting-manager.php#L419"}, {"url": "https://plugins.trac.wordpress.org/browser/vk-google-job-posting-manager/tags/1.2.20/vk-google-job-posting-manager.php#L468"}, {"url": "https://plugins.trac.wordpress.org/changeset/3449302/"}], "descriptions": [{"lang": "en", "value": "The VK Google Job Posting Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Description field in versions up to, and including, 1.2.23 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:40.162Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12836", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:51:40.162Z", "dateReserved": "2025-11-06T19:59:33.790Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-24T07:26:41.692Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The VK Google Job Posting Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Description field in versions up to, and including, 1.2.23 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin VK Google Job Posting Manager para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del campo 'Job Description' en versiones hasta la 1.2.20, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados con permisos de nivel de autor y superiores inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-12836", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-24T08:16:03.870", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/vk-google-job-posting-manager/tags/1.2.20/vk-google-job-posting-manager.php#L419"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/vk-google-job-posting-manager/tags/1.2.20/vk-google-job-posting-manager.php#L468"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3449302/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e0fd492-19ee-430e-a495-99ad28043bf9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T23:54:06.520317+00:00", "value": {"mitigation_remediation": ["Upgrade VK Google Job Posting Manager to version 1.2.24 or later, if available.", "If no newer release exists, implement a content filter that removes or escapes script tags from the job description field.", "Restrict job posting capabilities so that only trusted users with elevated privileges can create or edit postings.", "Consider disabling JavaScript execution in job description pages via CSP headers or a plugin that sanitizes output."], "summary": {"action": "Apply Upgrade", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "Vektor\u2011Inc\u2019s VK Google Job Posting Manager WordPress plugin, versions up to and including 1.2.23, is affected. No other product or version is listed.", "description_and_impact": "The VK Google Job Posting Manager plugin for WordPress allows an authenticated author or higher to store arbitrary JavaScript in the job description field because the input is not properly sanitized or escaped before rendering. When a user views an affected job post, the injected script executes with the context of the site, potentially enabling code execution in the visitor\u2019s browser, data theft, or session hijacking.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.4, indicating a moderate severity. The EPSS score is below 1%, implying a low to very low probability of exploitation in the near term. It is not listed in the CISA KEV catalog, and exploitation requires the attacker to have author\u2011level or higher permissions and to trick another user into viewing the injected job description."}}}}, "created": "2026-01-26T11:48:23.929462+00:00", "updated": "2026-04-22T00:00:03.948575+00:00", "vendors": ["vektor", "vektor$PRODUCT$vk_google_job_posting_manager", "wordpress", "wordpress$PRODUCT$wordpress"]}