Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Reflected XSS reachable over the network without authentication but requiring a victim click; scope changes to the browser with limited C/I/A impact on the session.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in WPJobster <= 6.3.5 versions.
AnalysisAI
Reflected cross-site scripting in the WPJobster WordPress theme through version 6.3.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The flaw carries a CVSS 3.1 score of 7.1 with a scope change (S:C), reflecting impact on browser-side resources beyond the vulnerable application. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) a target WordPress site running the WPJobster theme at version 6.3.5 or earlier, (2) a victim with an active browser session - ideally an authenticated administrator - who clicks an attacker-crafted URL pointing at the vulnerable reflected parameter (UI:R in the CVSS vector), and (3) the victim's browser executing JavaScript without a Content-Security-Policy that blocks the injected payload. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed: CVSS 7.1 is elevated largely because of the scope change and user-interaction requirement (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), which inflates severity for a reflected XSS, while EPSS data was not supplied and the CVE is not in CISA KEV. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL targeting a vulnerable WPJobster parameter with an embedded <script> payload and sends it via phishing email, forum post, or social media to a logged-in WordPress administrator. When the admin clicks the link, the script executes in the site's origin and can exfiltrate session cookies, perform CSRF-style admin actions (creating a new admin user or installing a malicious plugin), or rewrite the page to capture credentials. |
| Remediation | No vendor-released patch identified at time of analysis in the supplied data - administrators should monitor the Patchstack advisory (https://patchstack.com/database/wordpress/theme/wpjobster/vulnerability/wordpress-wpjobster-theme-6-3-5-reflected-cross-site-scripting-xss-vulnerability) and the Jobster Marketplace ThemeForest page for an update beyond 6.3.5 and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all WordPress instances for WPJobster theme version 6.3.5 or earlier; document deployment scope. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37659