CVE-2026-22339: WordPress WPJobster theme <= 6.3.5 - Reflected Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting (XSS) in WPJobster <= 6.3.5 versions.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Reflected cross-site scripting (XSS) affects the WPJobster WordPress theme in versions 6.3.5 and earlier. The vulnerability is reachable over the network without any authentication, but requires a victim to follow a crafted link that carries the malicious payload. Successful exploitation lets an attacker execute arbitrary JavaScript in the victim's browser session, enabling session token theft, page content tampering, and degradation of the affected page. No fix version has been published; HarborGuard is tracking the advisory for patch availability.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images that include the WPJobster theme, including custom-built WordPress images. Coverage extends to images in both connected registries and active CI/CD pipelines.
AvailableHarborGuard can score this finding at CVSS 7.1 (HIGH) and weight it against each customer organization's compliance policy to determine urgency and routing. Triage alerts are routable to the appropriate team inbox within the customer org based on policy-defined ownership rules.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available as soon as the upstream maintainer ships a remediated release. Until then, customers can apply compensating controls through HarborGuard's policy engine to flag or block deployment of images containing the affected theme version.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the target WordPress site over the network to deliver the crafted URL to the victim.
- AuthenticationNot required
No account or credentials are needed; the reflected payload can be triggered by any unauthenticated visitor following a malicious link.
- Victim interactionRequired
The attack requires the victim to click or follow a specially crafted link that carries the XSS payload, making social engineering a necessary step.
- Attack complexityDetail
Exploit reliability is high and no special environmental conditions, race conditions, or configuration states are required to trigger the vulnerability.
Blast Radius
- Reads session cookies or authentication tokens from the victim's browser, enabling account hijacking without needing credentials.
- Injects or alters visible page content in the victim's browser session, enabling phishing payloads or misleading UI elements.
- Initiates browser-side requests on behalf of the logged-in victim, potentially performing actions within the WordPress admin or marketplace interface.
- Degrades the victim's experience of the affected page, consistent with the CVSS availability impact rating.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-22339 is active against any image containing WPJobster theme files at version 6.3.5 or earlier, sourced from any connected registry or pipeline. Because no upstream patch exists at this time, HarborGuard monitors the Patchstack advisory on every ingest cycle and will surface a patched-image rebuild the moment a remediated version is published. In the interim, customers can use HarborGuard's policy engine to enforce a block or warn gate on deployments that include the affected theme version, and can apply network-policy isolation rules to restrict the attack surface, for example by limiting public exposure of affected WordPress instances to known IP ranges. For customers who have opted into auto-remediation, a rebuild, regression-test run, and PR against affected workloads will be initiated automatically once an upstream fix version is available.
- Jobster Marketplace / WPJobster≤ 6.3.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L