Skip to main content

JobSearch WordPress Plugin CVE-2026-49057

| EUVDEUVD-2026-37495 HIGH
Missing Authorization (CWE-862)
2026-06-16 Patchstack
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable WordPress endpoint with missing authorization discloses restricted data, so PR:N/UI:N/AC:L and C:H only; no integrity or availability impact described.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:26 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in JobSearch <= 3.2.7 versions.

AnalysisAI

Unauthenticated information disclosure in the eyecix JobSearch (wp-jobsearch) WordPress plugin versions up to and including 3.2.7 allows remote attackers to bypass access controls and read sensitive data without authentication. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation with no preconditions, though no public exploit identified at time of analysis and no CISA KEV listing is present. Patchstack categorized the issue as a Broken Access Control / Authentication Bypass affecting confidentiality only.

Technical ContextAI

The vulnerability resides in the WordPress plugin marketed as JobSearch by eyecix technologies (CPE: cpe:2.3:a:eyecix_technologies:jobsearch), a commercial job board plugin used to publish listings, accept applications, and expose candidate/employer dashboards. The root cause is CWE-862 (Missing Authorization), meaning one or more plugin endpoints (likely AJAX actions, REST routes, or admin-ajax handlers) execute privileged data-read operations without verifying the caller's capability via current_user_can() or a comparable nonce/permission check. In WordPress plugins this class of bug commonly arises when wp_ajax_nopriv_* hooks are registered to handlers that assume authentication or when REST API permission_callback returns true unconditionally.

RemediationAI

No vendor-released patch identified at time of analysis; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-jobsearch/vulnerability/wordpress-jobsearch-plugin-3-2-7-broken-access-control-vulnerability should be consulted for any subsequently published fixed release, and administrators should upgrade to the first JobSearch version above 3.2.7 once published by eyecix. Until a patched version is available, compensating controls include deactivating the wp-jobsearch plugin on production sites (trade-off: job board functionality is lost), or placing the affected AJAX/REST endpoints (typically /wp-admin/admin-ajax.php with jobsearch_* actions and /wp-json/ JobSearch routes) behind a WAF rule that requires an authenticated WordPress session cookie (trade-off: may break legitimate anonymous browsing of public listings). IP allow-listing of /wp-admin/admin-ajax.php is generally not viable because legitimate front-end visitors call it, so prefer per-action rules at the WAF layer. Subscribing to Patchstack's vPatch service is a direct mitigation given they reported the issue.

Share

CVE-2026-49057 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy