Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
5DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eyecix JobSearch wp-jobsearch allows Reflected XSS.This issue affects JobSearch: from n/a through <= 3.2.0.
AnalysisAI
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the eyecix JobSearch WordPress plugin through version 3.2.0, allowing attackers to inject malicious scripts into web pages viewed by users. The vulnerability affects all installations of the JobSearch plugin up to and including version 3.2.0, enabling attackers to steal session cookies, perform unauthorized actions on behalf of users, or redirect users to malicious sites. No active exploitation in the wild has been publicly confirmed, though the vulnerability is documented in Patchstack's vulnerability database.
Technical ContextAI
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a fundamental web application security flaw where user-supplied input is reflected in HTTP responses without proper sanitization or encoding. The eyecix JobSearch plugin (cpe:2.3:a:eyecix:jobsearch:*:*:*:*:*:*:*:*) is a WordPress plugin that manages job listings and search functionality. The vulnerability manifests as Reflected XSS, meaning the malicious payload must be delivered to a victim through a crafted URL or form submission; the plugin fails to neutralize dangerous characters or HTML entities in query parameters or user inputs before rendering them in the page output, allowing arbitrary JavaScript execution in the victim's browser within the context of the WordPress site.
RemediationAI
Organizations should immediately upgrade the eyecix JobSearch plugin to a version newer than 3.2.0 if such a patch is available from the vendor; verify the latest version directly with eyecix or through the official WordPress plugin repository. Until patching is possible, implement input validation and output encoding at the application or Web Application Firewall (WAF) level, configure Content Security Policy (CSP) headers to restrict script execution from inline or untrusted sources, and educate users to avoid clicking suspicious links referencing the job search functionality. Additionally, review WordPress security logs for any suspicious query parameters or reflected payloads and consider restricting access to the plugin's search functionality to authenticated users only if the business logic permits.
Unauthenticated SQL injection in the eyecix JobSearch WordPress plugin (versions 3.2.9 and earlier) allows remote attack
Unauthenticated information disclosure in the eyecix JobSearch (wp-jobsearch) WordPress plugin versions up to and includ
Stored cross-site scripting in the eyecix JobSearch (wp-jobsearch) WordPress plugin, versions up to and including 3.2.9,
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15835
GHSA-j8cr-494c-qv6f