CVE-2021-39328 — Cross-site Scripting in JOB Board

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

4.8MEDIUMNVD

CNA5.5

EPSS

0.7%

top 29.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Simple JOB Board Presstigers Simple JOB Board

Timeline

PublishedOct 21

Latest updateMay 24

Description

The Simple Job Board WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $job_board_privacy_policy_label variable echo'd out via the ~/admin/settings/class-simple-job-board-settings-privacy.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.9.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

▶NVDpresstigers/simple_job_board2.9.4

▶CVEListV5simple_job_board/simple_job_board2.9.4 — 2.9.4

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-w65v-xjgq-w8fr: The Simple Job Board WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $job_board_privacy_policy_label↗2022-05-24

▶

CVEList

Simple Job Board <= 2.9.4 Authenticated Stored Cross-Site Scripting↗2021-10-21

▶