WordPress Job Board 1.0.0 Cross Site Scripting

`Plugin Name : Job Board  
  
Effected Version : 1.0.0 (and most probably lower version's if any)  
  
Vulnerability : A3-Cross-Site Scripting (XSS)  
  
Identified by : Madhu Akula  
  
  
  
Technical Details  
  
Minimum Level of Access Required : Administrator  
  
PoC - (Proof of Concept) :  
  
The following fields put the payload as below  
  
http://localhost/wp-admin/admin.php?page=job-board.php  
  
vacancy_reply_text = “></textarea><script>alert(1)</script>  
  
  
Vulnerable Parameter : vacancy_reply_text  
  
Type of XSS : Stored  
  
Fixed in : 1.0.1  
  
http://wordpress.org/plugins/job-board/changelog/  
  
Disclosure Timeline  
  
Vendor Contacted : 2014-08-04  
  
Plugin Status : Updated on 2014-08-07  
  
Public Disclosure : October 3, 2015  
  
CVE Number : Not assigned yet  
  
Plugin Description :  
  
The plugin allows to create and post job-board posts as well as to change, sort and archive them. After inserting the short-code into the page, you will see all vacancies from a search form by categories, organizations, salary etc. The search form is available only after the user has been authorized as a candidate. The candidate is allowed to upload and submit a CV, select a category by which the list of vacant positions is formed for the last 24 hours and save the current search conditions to be used as a search template in future.  
`