Skip to main content

WPJobster CVE-2026-22339

| EUVDEUVD-2026-37659 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-17 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Reflected XSS reachable over the network without authentication but requiring a victim click; scope changes to the browser with limited C/I/A impact on the session.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:30 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in WPJobster <= 6.3.5 versions.

AnalysisAI

Reflected cross-site scripting in the WPJobster WordPress theme through version 6.3.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The flaw carries a CVSS 3.1 score of 7.1 with a scope change (S:C), reflecting impact on browser-side resources beyond the vulnerable application. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WPJobster site ≤6.3.5
Delivery
Craft URL with XSS payload in vulnerable parameter
Exploit
Phish authenticated admin with link
Execution
Victim browser executes injected script
Persist
Steal session cookies or issue admin actions
Impact
Persist via new admin user or malicious plugin

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a target WordPress site running the WPJobster theme at version 6.3.5 or earlier, (2) a victim with an active browser session - ideally an authenticated administrator - who clicks an attacker-crafted URL pointing at the vulnerable reflected parameter (UI:R in the CVSS vector), and (3) the victim's browser executing JavaScript without a Content-Security-Policy that blocks the injected payload. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed: CVSS 7.1 is elevated largely because of the scope change and user-interaction requirement (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), which inflates severity for a reflected XSS, while EPSS data was not supplied and the CVE is not in CISA KEV. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL targeting a vulnerable WPJobster parameter with an embedded <script> payload and sends it via phishing email, forum post, or social media to a logged-in WordPress administrator. When the admin clicks the link, the script executes in the site's origin and can exfiltrate session cookies, perform CSRF-style admin actions (creating a new admin user or installing a malicious plugin), or rewrite the page to capture credentials.
Remediation No vendor-released patch identified at time of analysis in the supplied data - administrators should monitor the Patchstack advisory (https://patchstack.com/database/wordpress/theme/wpjobster/vulnerability/wordpress-wpjobster-theme-6-3-5-reflected-cross-site-scripting-xss-vulnerability) and the Jobster Marketplace ThemeForest page for an update beyond 6.3.5 and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all WordPress instances for WPJobster theme version 6.3.5 or earlier; document deployment scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-22339 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy