The Job Postings WordPress plugin before 2.7.11 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
https://wpscan.com/vulnerability/4477db12-26e9-4c6d-8b71-f3f6a0d19813/