Skip to main content

Jobsearch CVE-2026-32493

| EUVDEUVD-2026-15835 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-j8cr-494c-qv6f
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Re-analysis Queued
Apr 29, 2026 - 10:22 vuln.today
cvss_changed
CVSS changed
Apr 29, 2026 - 10:22 NVD
7.1 (HIGH)
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15835
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eyecix JobSearch wp-jobsearch allows Reflected XSS.This issue affects JobSearch: from n/a through <= 3.2.0.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the eyecix JobSearch WordPress plugin through version 3.2.0, allowing attackers to inject malicious scripts into web pages viewed by users. The vulnerability affects all installations of the JobSearch plugin up to and including version 3.2.0, enabling attackers to steal session cookies, perform unauthorized actions on behalf of users, or redirect users to malicious sites. No active exploitation in the wild has been publicly confirmed, though the vulnerability is documented in Patchstack's vulnerability database.

Technical ContextAI

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a fundamental web application security flaw where user-supplied input is reflected in HTTP responses without proper sanitization or encoding. The eyecix JobSearch plugin (cpe:2.3:a:eyecix:jobsearch:*:*:*:*:*:*:*:*) is a WordPress plugin that manages job listings and search functionality. The vulnerability manifests as Reflected XSS, meaning the malicious payload must be delivered to a victim through a crafted URL or form submission; the plugin fails to neutralize dangerous characters or HTML entities in query parameters or user inputs before rendering them in the page output, allowing arbitrary JavaScript execution in the victim's browser within the context of the WordPress site.

RemediationAI

Organizations should immediately upgrade the eyecix JobSearch plugin to a version newer than 3.2.0 if such a patch is available from the vendor; verify the latest version directly with eyecix or through the official WordPress plugin repository. Until patching is possible, implement input validation and output encoding at the application or Web Application Firewall (WAF) level, configure Content Security Policy (CSP) headers to restrict script execution from inline or untrusted sources, and educate users to avoid clicking suspicious links referencing the job search functionality. Additionally, review WordPress security logs for any suspicious query parameters or reflected payloads and consider restricting access to the plugin's search functionality to authenticated users only if the business logic permits.

Share

CVE-2026-32493 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy