Skip to main content

Addon Jobsearch Chat CVE-2026-25376

| EUVDEUVD-2026-15694 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-j949-96cg-m67c
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15694
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eyecix Addon Jobsearch Chat addon-jobsearch-chat allows Reflected XSS.This issue affects Addon Jobsearch Chat: from n/a through <= 3.0.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the eyecix Addon Jobsearch Chat plugin for WordPress, affecting versions up to and including 3.0. An attacker can inject malicious scripts into user-controlled input that is reflected back in the web page without proper sanitization, allowing them to steal session cookies, perform actions on behalf of authenticated users, or redirect users to malicious sites. No CVSS score, EPSS probability, or active KEV designation is available; however, the vulnerability is confirmed via Patchstack and carries a European vulnerability database entry (EUVD-2026-15694).

Technical ContextAI

This vulnerability stems from improper input neutralization during web page generation, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The Addon Jobsearch Chat plugin (identified via CPE cpe:2.3:a:eyecix:addon_jobsearch_chat:*:*:*:*:*:*:*:*) fails to adequately sanitize or encode user-supplied input before rendering it in HTML context. Reflected XSS occurs when untrusted data is immediately echoed back to the user in an HTTP response without escaping, allowing an attacker to craft a malicious URL that executes arbitrary JavaScript in the victim's browser within the origin context of the WordPress site.

RemediationAI

Immediately upgrade the Addon Jobsearch Chat plugin to a patched version released after 3.0; consult the vendor's security advisory or the Patchstack entry for the specific fixed version number. If an upgrade path is not yet available, disable or deactivate the plugin until a patch is released. As a temporary control, restrict access to the plugin's functionality through web application firewall (WAF) rules that filter for common XSS payloads in query parameters, and enforce Content Security Policy (CSP) headers on the WordPress site to mitigate the impact of any injected scripts. Ensure all WordPress instances running this plugin are identified and patched within a defined maintenance window.

Share

CVE-2026-25376 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy