Vulnerabilities > CVE-2021-39328 - Unspecified vulnerability in Presstigers Simple JOB Board
Attack vector
NETWORK Attack complexity
LOW Privileges required
HIGH Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
The Simple Job Board WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $job_board_privacy_policy_label variable echo'd out via the ~/admin/settings/class-simple-job-board-settings-privacy.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.9.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
Vulnerable Configurations
References
- https://github.com/BigTiger2020/word-press/blob/main/Simple%20Job%20Board%E2%80%94Stored%20Cross-Site%20Scripting%20-%202.md
- https://github.com/BigTiger2020/word-press/blob/main/Simple%20Job%20Board%E2%80%94Stored%20Cross-Site%20Scripting%20-%202.md
- https://plugins.trac.wordpress.org/changeset/2617364/simple-job-board/trunk/admin/settings/class-simple-job-board-settings-privacy.php
- https://plugins.trac.wordpress.org/changeset/2617364/simple-job-board/trunk/admin/settings/class-simple-job-board-settings-privacy.php
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39328
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39328