CVE-2025-22294: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the Custom Field For WP Job Manager WordPress plugin, identified as CVE-2025-22294. The vulnerability affects versions up to and including 1.3 of the plugin, and was disclosed on January 7, 2025. This security issue stems from improper neutralization of input during web page generation (Patchstack).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue, falling under the OWASP Top 10 category A3: Injection. It has been assigned a CVSS v3.1 base score of 7.1 (High), with the following vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires no authentication to exploit, making it particularly concerning (Patchstack).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site, potentially compromising user security and website integrity (Patchstack).

The vulnerability has been fixed in version 1.4 of the Custom Field For WP Job Manager plugin. Users are advised to update to version 1.4 or later immediately. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users update to a fixed version (Patchstack).