CVE-2025-49978 MEDIUM

CVE-2025-49978: WordPress JobSearch plugin < 3.0.6 - Insecure Direct Object References (IDOR) Vulnerability

Vendor Eyecix
Product JobSearch
Weakness CWE-639 · IDOR
Published June 20, 2025
Last update April 28, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Authorization Bypass Through User-Controlled Key vulnerability in eyecix JobSearch wp-jobsearch allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JobSearch: from n/a through < 3.0.6.

Explanation of Vulnerability in Simple Terms

02Summary

JobSearch versions 3.0.6 and earlier contain a denial-of-service vulnerability accessible to authenticated users. An attacker with low-level account access can trigger a condition that degrades site availability. The vulnerability requires network access and valid credentials but no user interaction. Administrators should update to a version newer than 3.0.6.

What an attacker can do

03Attacker Capabilities

Degrade or disrupt site availability by triggering a denial-of-service condition.

Potential impact on your site

04Site Impact

Authenticated users can cause temporary service disruption affecting site performance or availability.

Conditions required to exploit

05Prerequisites

Attacker must have a valid low-privilege user account on the site.

Key dates

06Disclosure timeline

June 20, 2025 CVE published
April 28, 2026 Record updated