Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eyecix Addon Jobsearch Chat addon-jobsearch-chat allows Reflected XSS.This issue affects Addon Jobsearch Chat: from n/a through <= 3.0.
AnalysisAI
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the eyecix Addon Jobsearch Chat plugin for WordPress, affecting versions up to and including 3.0. An attacker can inject malicious scripts into user-controlled input that is reflected back in the web page without proper sanitization, allowing them to steal session cookies, perform actions on behalf of authenticated users, or redirect users to malicious sites. No CVSS score, EPSS probability, or active KEV designation is available; however, the vulnerability is confirmed via Patchstack and carries a European vulnerability database entry (EUVD-2026-15694).
Technical ContextAI
This vulnerability stems from improper input neutralization during web page generation, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The Addon Jobsearch Chat plugin (identified via CPE cpe:2.3:a:eyecix:addon_jobsearch_chat:*:*:*:*:*:*:*:*) fails to adequately sanitize or encode user-supplied input before rendering it in HTML context. Reflected XSS occurs when untrusted data is immediately echoed back to the user in an HTTP response without escaping, allowing an attacker to craft a malicious URL that executes arbitrary JavaScript in the victim's browser within the origin context of the WordPress site.
RemediationAI
Immediately upgrade the Addon Jobsearch Chat plugin to a patched version released after 3.0; consult the vendor's security advisory or the Patchstack entry for the specific fixed version number. If an upgrade path is not yet available, disable or deactivate the plugin until a patch is released. As a temporary control, restrict access to the plugin's functionality through web application firewall (WAF) rules that filter for common XSS payloads in query parameters, and enforce Content Security Policy (CSP) headers on the WordPress site to mitigate the impact of any injected scripts. Ensure all WordPress instances running this plugin are identified and patched within a defined maintenance window.
More in Addon Jobsearch Chat
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15694
GHSA-j949-96cg-m67c