Skip to main content

Addon Jobsearch Chat CVE-2026-25377

| EUVDEUVD-2026-15695 CRITICAL
SQL Injection (CWE-89)
2026-03-25 Patchstack GHSA-xr7x-cpgh-xg5x
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15695
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
CRITICAL 9.3

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in eyecix Addon Jobsearch Chat addon-jobsearch-chat allows SQL Injection.This issue affects Addon Jobsearch Chat: from n/a through <= 3.0.

AnalysisAI

A SQL injection vulnerability exists in the eyecix Addon Jobsearch Chat plugin for WordPress, affecting all versions through 3.0, that allows attackers to execute arbitrary SQL commands against the underlying database. The vulnerability stems from improper neutralization of special SQL characters in user-supplied input, classified under CWE-89 (SQL Injection). While no CVSS score or EPSS metric is currently available, the vulnerability has been documented by Patchstack and assigned ENISA EUVD tracking ID EUVD-2026-15695, indicating active awareness in vulnerability tracking systems.

Technical ContextAI

The Addon Jobsearch Chat plugin (CPE: cpe:2.3:a:eyecix:addon_jobsearch_chat:*:*:*:*:*:*:*:*) is a WordPress plugin that provides job search and chat functionality. The vulnerability is rooted in CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), which occurs when user-controlled input is concatenated directly into SQL queries without proper parameterization or escaping. This is a classic SQL injection flaw where an attacker can manipulate SQL syntax by injecting malicious characters or SQL fragments through input fields, potentially allowing them to extract, modify, or delete database records. The plugin appears to interact with WordPress database APIs but fails to use prepared statements or parameterized queries to safely handle user input.

RemediationAI

The primary remediation is to upgrade the Addon Jobsearch Chat plugin to a version later than 3.0 if a patched version is available from eyecix; consult the vendor's release notes and the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/addon-jobsearch-chat/vulnerability/wordpress-addon-jobsearch-chat-plugin-3-0-sql-injection-vulnerability?_s_id=cve) to confirm availability and installation instructions. If no patch is currently available, immediately disable and deactivate the plugin to prevent exploitation. As a temporary workaround, restrict access to the plugin's functionality using a Web Application Firewall (WAF) with SQL injection detection rules, limit database user permissions to read-only or minimal required access, and monitor database logs for suspicious query patterns. Ensure all WordPress installations, plugins, and themes are kept current, and implement database query logging to detect any exploitation attempts.

Share

CVE-2026-25377 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy