Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network-reachable WordPress endpoint with missing authorization discloses restricted data, so PR:N/UI:N/AC:L and C:H only; no integrity or availability impact described.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in JobSearch <= 3.2.7 versions.
AnalysisAI
Unauthenticated information disclosure in the eyecix JobSearch (wp-jobsearch) WordPress plugin versions up to and including 3.2.7 allows remote attackers to bypass access controls and read sensitive data without authentication. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation with no preconditions, though no public exploit identified at time of analysis and no CISA KEV listing is present. Patchstack categorized the issue as a Broken Access Control / Authentication Bypass affecting confidentiality only.
Technical ContextAI
The vulnerability resides in the WordPress plugin marketed as JobSearch by eyecix technologies (CPE: cpe:2.3:a:eyecix_technologies:jobsearch), a commercial job board plugin used to publish listings, accept applications, and expose candidate/employer dashboards. The root cause is CWE-862 (Missing Authorization), meaning one or more plugin endpoints (likely AJAX actions, REST routes, or admin-ajax handlers) execute privileged data-read operations without verifying the caller's capability via current_user_can() or a comparable nonce/permission check. In WordPress plugins this class of bug commonly arises when wp_ajax_nopriv_* hooks are registered to handlers that assume authentication or when REST API permission_callback returns true unconditionally.
RemediationAI
No vendor-released patch identified at time of analysis; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-jobsearch/vulnerability/wordpress-jobsearch-plugin-3-2-7-broken-access-control-vulnerability should be consulted for any subsequently published fixed release, and administrators should upgrade to the first JobSearch version above 3.2.7 once published by eyecix. Until a patched version is available, compensating controls include deactivating the wp-jobsearch plugin on production sites (trade-off: job board functionality is lost), or placing the affected AJAX/REST endpoints (typically /wp-admin/admin-ajax.php with jobsearch_* actions and /wp-json/ JobSearch routes) behind a WAF rule that requires an authenticated WordPress session cookie (trade-off: may break legitimate anonymous browsing of public listings). IP allow-listing of /wp-admin/admin-ajax.php is generally not viable because legitimate front-end visitors call it, so prefer per-action rules at the WAF layer. Subscribing to Patchstack's vPatch service is a direct mitigation given they reported the issue.
Unauthenticated SQL injection in the eyecix JobSearch WordPress plugin (versions 3.2.9 and earlier) allows remote attack
Stored cross-site scripting in the eyecix JobSearch (wp-jobsearch) WordPress plugin, versions up to and including 3.2.9,
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the eyecix JobSearch WordPress plugin through version 3.2
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37495