Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Unauthenticated network-reachable WordPress plugin SQLi; scope changes to the database, high confidentiality loss, low integrity from potential limited writes, no availability impact typical for read-oriented SQLi.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated SQL Injection in JobSearch <= 3.2.9 versions.
AnalysisAI
Unauthenticated SQL injection in the eyecix JobSearch WordPress plugin (versions 3.2.9 and earlier) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. With a CVSS 3.1 score of 9.3 and a Scope:Changed vector indicating impact beyond the vulnerable component, the flaw enables high-confidentiality data theft from the WordPress database including user records and credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The wp-jobsearch plugin must be installed and active on a target WordPress site, version 3.2.9 or earlier, with the vulnerable JobSearch endpoint reachable from the internet (default WordPress deployment exposes admin-ajax.php and REST routes to unauthenticated visitors). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a high-priority vulnerability based on multiple converging signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker enumerates WordPress sites running the JobSearch plugin via fingerprinting (e.g., /wp-content/plugins/wp-jobsearch/ paths) and sends a crafted HTTP request to a vulnerable JobSearch AJAX or REST endpoint with malicious SQL payload in a query parameter. The injection executes against the WordPress database, allowing the attacker to extract administrator password hashes from wp_users and session tokens or API keys from wp_usermeta and wp_options, which can be cracked or replayed to escalate to full site control. |
| Remediation | No vendor-released patch version was specified in the supplied intelligence - Patchstack advisory titles the issue as affecting <=3.2.9 but a confirmed fixed release is not independently verified in the input data; administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-jobsearch/vulnerability/wordpress-jobsearch-plugin-3-2-9-sql-injection-vulnerability and upgrade to the next release above 3.2.9 once published by eyecix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress installations to identify active deployments of eyecix JobSearch plugin (versions 3.2.9 and earlier) and document which systems and databases are exposed. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthenticated information disclosure in the eyecix JobSearch (wp-jobsearch) WordPress plugin versions up to and includ
Stored cross-site scripting in the eyecix JobSearch (wp-jobsearch) WordPress plugin, versions up to and including 3.2.9,
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the eyecix JobSearch WordPress plugin through version 3.2
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37631