{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13383", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-18T20:43:02.420Z", "datePublished": "2025-11-25T07:28:19.446Z", "dateUpdated": "2026-04-08T16:40:51.514Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:51.514Z"}, "affected": [{"vendor": "bestweblayout", "product": "Job Board by BestWebSoft", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Job Board by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.1. This is due to the plugin storing the entire unsanitized `$_GET` superglobal array directly into the database via `update_user_meta()` when users save search results, and later outputting this data without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever a user accesses the saved search or views their profile, granted they can trick the user into performing the search and saving the results."}], "title": "Job Board by BestWebSoft <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via $_GET Array Storage", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1eb1622f-19fb-472e-871b-9a456f80f390?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/job-board/tags/1.2.1/job-board.php#L2354"}, {"url": "https://plugins.trac.wordpress.org/browser/job-board/tags/1.2.1/job-board.php#L2355"}, {"url": "https://plugins.trac.wordpress.org/browser/job-board/tags/1.2.1/job-board.php#L1680"}, {"url": "https://plugins.trac.wordpress.org/changeset/3403205/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jamshed Yergashvoyev"}], "timeline": [{"time": "2025-11-24T19:08:56.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-25T16:38:22.397468Z", "id": "CVE-2025-13383", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T16:38:30.920Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13383", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-25T16:38:22.397468Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T16:38:26.114Z"}}], "cna": {"title": "Job Board by BestWebSoft <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via $_GET Array Storage", "credits": [{"lang": "en", "type": "finder", "value": "Jamshed Yergashvoyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "bestweblayout", "product": "Job Board by BestWebSoft", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-24T19:08:56.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1eb1622f-19fb-472e-871b-9a456f80f390?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/job-board/tags/1.2.1/job-board.php#L2354"}, {"url": "https://plugins.trac.wordpress.org/browser/job-board/tags/1.2.1/job-board.php#L2355"}, {"url": "https://plugins.trac.wordpress.org/browser/job-board/tags/1.2.1/job-board.php#L1680"}, {"url": "https://plugins.trac.wordpress.org/changeset/3403205/"}], "descriptions": [{"lang": "en", "value": "The Job Board by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.1. This is due to the plugin storing the entire unsanitized `$_GET` superglobal array directly into the database via `update_user_meta()` when users save search results, and later outputting this data without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever a user accesses the saved search or views their profile, granted they can trick the user into performing the search and saving the results."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:51.514Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13383", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:40:51.514Z", "dateReserved": "2025-11-18T20:43:02.420Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-25T07:28:19.446Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Job Board by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.1. This is due to the plugin storing the entire unsanitized `$_GET` superglobal array directly into the database via `update_user_meta()` when users save search results, and later outputting this data without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever a user accesses the saved search or views their profile, granted they can trick the user into performing the search and saving the results."}], "id": "CVE-2025-13383", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-25T08:15:50.443", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/job-board/tags/1.2.1/job-board.php#L1680"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/job-board/tags/1.2.1/job-board.php#L2354"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/job-board/tags/1.2.1/job-board.php#L2355"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3403205/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1eb1622f-19fb-472e-871b-9a456f80f390?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:32:49.280878+00:00", "value": {"mitigation_remediation": ["Update Job Board by BestWebSoft to a version newer than 1.2.1 that implements proper sanitization for the $_GET array before storing it. ", "If an immediate upgrade is not possible, remove or disable the functionality that writes the GET array to user meta; for example, patch the plugin file to sanitize the data or delete the update_user_meta call. ", "Perform a database review to locate and delete any stored user meta entries that contain unsanitized GET data, then refresh the site to ensure no lingering scripts remain."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress installations using the Job Board by BestWebSoft plugin version 1.2.1 or earlier are affected. No additional vendor or product versions are listed, but any version up to and including 1.2.1 shares the same insecure logic.", "description_and_impact": "The vulnerability arises because the Job Board by BestWebSoft plugin stores the entire unsanitized $_GET superglobal array in user meta data via update_user_meta(). When a user later views the saved search or profile, this data is rendered without escaping, allowing arbitrary JavaScript injection. An attacker can craft a GET request containing malicious code, trick a victim into performing a search and saving it, and then the script executes in the victim\u2019s browser, potentially stealing session cookies, defacing content, or redirecting users to phishing sites. The flaw does not allow direct server\u2011side code execution; its impact is limited to the victim\u2019s browser context.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the vulnerability is not currently listed in CISA\u2019s KEV catalog. The likely attack vector requires an unauthenticated attacker to manipulate a target user\u2019s GET parameters and rely on that user to perform a search and save it; the attack does not involve direct authentication or phishing of the attacker\u2019s own credentials. The risk remains significant for sites that commonly allow users to save searches, as an attacker could inject a large number of malicious scripts hidden within stored data."}}}}, "created": "2025-12-01T15:19:25.665275+00:00", "updated": "2026-04-22T16:45:21.452507+00:00", "vendors": ["bestwebsoft", "bestwebsoft$PRODUCT$job_board", "wordpress", "wordpress$PRODUCT$wordpress"]}