{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8318", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-29T22:21:28.662Z", "datePublished": "2025-09-11T07:24:54.673Z", "dateUpdated": "2026-04-08T16:56:10.417Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:56:10.417Z"}, "affected": [{"vendor": "bmarshall511", "product": "Jobify", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Jobify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018keyword\u2019 parameter in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Jobify <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via keyword Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e528d16-4a5d-4ef9-baac-e235fa3b4be3?source=cve"}, {"url": "https://plugins.svn.wordpress.org/jobify/tags/1.4.4/src/Jobify/Shortcodes.php"}, {"url": "https://wordpress.org/plugins/jobify/#developers"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-09-10T18:46:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-11T14:03:47.239449Z", "id": "CVE-2025-8318", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T14:39:39.518Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8318", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-11T14:03:47.239449Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T14:03:50.381Z"}}], "cna": {"title": "Jobify <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via keyword Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "bmarshall511", "product": "Jobify", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.4.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-10T18:46:27.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e528d16-4a5d-4ef9-baac-e235fa3b4be3?source=cve"}, {"url": "https://plugins.svn.wordpress.org/jobify/tags/1.4.4/src/Jobify/Shortcodes.php"}, {"url": "https://wordpress.org/plugins/jobify/#developers"}], "descriptions": [{"lang": "en", "value": "The Jobify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018keyword\u2019 parameter in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-09-11T07:24:54.673Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8318", "state": "PUBLISHED", "dateUpdated": "2025-09-11T14:39:39.518Z", "dateReserved": "2025-07-29T22:21:28.662Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-11T07:24:54.673Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Jobify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018keyword\u2019 parameter in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-8318", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-11T08:15:33.097", "references": [{"source": "security@wordfence.com", "url": "https://plugins.svn.wordpress.org/jobify/tags/1.4.4/src/Jobify/Shortcodes.php"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/jobify/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e528d16-4a5d-4ef9-baac-e235fa3b4be3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:02:14.921310+00:00", "value": {"mitigation_remediation": ["Upgrade Jobify to a version newer than 1.4.4 when it becomes available", "Remove any pages or posts that may have stored malicious scripts injected via the keyword parameter", "Implement input validation and output escaping (e.g., use WordPress esc_html/esc_url functions) to prevent future script injection"], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting that enables an authenticated contributor or higher to inject and execute arbitrary scripts on users\u2019 browsers"}, "threat_synthesis": {"affected_systems": "WordPress plugin Jobify, version 1.4.4 and earlier, developed by bmarshall511.", "description_and_impact": "The Jobify plugin for WordPress is vulnerable to a stored Cross\u2011Site Scripting flaw through the unchecked \u2018keyword\u2019 request parameter. Insufficient input sanitization and output escaping allow an authenticated user with Contributor privileges or higher to embed malicious scripts that will run whenever a user views the affected page.", "risk_and_exploitability": "The flaw carries a CVSS score of 6.4 and an EPSS score of less than 1% \u2013 indicating a moderate severity but low probability of exploitation. The vulnerability requires authentication and only users with Contributor-level or higher access can exploit it, limiting the attack surface yet still enabling potentially widespread client\u2011side damage if an attacker gains or leverages such privileges. The plugin is not listed in CISA KEV, suggesting no publicly known exploitation, but the impact to end users remains significant should the flaw be abused."}}}}, "created": "2025-09-12T08:02:59.643093+00:00", "updated": "2026-04-21T03:15:16.326294+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}