CVE-2023-6978: 
WordPress vulnerability analysis and mitigation

The WP Job Manager – Company Profiles plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the 'company' parameter in versions up to and including 1.7. This vulnerability was assigned CVE-2023-6978 and was disclosed on December 4, 2024. The vulnerability affects all installations of the WP Job Manager – Company Profiles plugin up to version 1.7 (NVD).

The vulnerability is classified as a Reflected Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 6.1 (Medium). The vulnerability stems from insufficient input sanitization and output escaping of the 'company' parameter. The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), and needs user interaction (UI:R) to be exploited (NVD).

If successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. The vulnerability has the potential to compromise confidentiality and integrity at a low level, while availability is not affected (NVD).

Users of the WP Job Manager – Company Profiles plugin should update their installations to a version newer than 1.7 if available. Until an update is applied, website administrators should implement additional security controls such as web application firewalls to help filter potentially malicious requests (NVD).