CVE-2024-10105: 
WordPress vulnerability analysis and mitigation

The Job Postings WordPress plugin before version 2.7.11 contains a stored Cross-Site Scripting (XSS) vulnerability. The plugin fails to properly sanitize and escape certain settings, which could enable high-privilege users such as contributors to perform Stored XSS attacks, even when the unfiltered_html capability is disabled, such as in multisite setups (WPScan, NVD).

The vulnerability is classified with a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The issue affects multiple fields in the job posting form, including the description, responsibilities, benefits, contacts, and notification message sections. The vulnerability is tracked as CWE-79 (Improper Neutralization of Input During Web Page Generation) (WPScan).

When exploited, this vulnerability allows authenticated users with contributor-level privileges to store and execute malicious JavaScript code that will be executed in other users' browsers when viewing the affected job postings. This remains possible even in environments where the unfiltered_html capability is explicitly disabled (WPScan).

Users should upgrade to version 2.7.11 of the Job Postings WordPress plugin, which contains fixes for this vulnerability (WPScan).