CVE-2025-22294
Published: 07 January 2025
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in theme funda Custom Field For WP Job Manager custom-field-for-wp-job-manager allows Reflected XSS.This issue affects Custom Field For WP Job Manager: from n/a through <= 1.3.
Security Summary
CVE-2025-22294 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Custom Field For WP Job Manager WordPress plugin (slug: custom-field-for-wp-job-manager), developed by theme funda, in all versions from n/a through 1.3 inclusive. The issue was published on 2025-01-07.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating exploitation is possible over the network with low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Remote attackers can inject and reflect malicious scripts via unsanitized input during web page generation, executing arbitrary JavaScript in the victim's browser context with changed scope to the site, potentially compromising low levels of confidentiality, integrity, and availability.
Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/custom-field-for-wp-job-manager/vulnerability/wordpress-custom-field-for-wp-job-manager-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, detail the Reflected XSS issue in plugin version 1.3 and provide vulnerability information for mitigation guidance.
Details
- CWE(s)