The vulnerability is an instance of insecure direct object references (IDOR) that enables an attacker to bypass authorization controls. It arises from an authorization bypass through a user‑controlled key within the eyecix JobSearch WordPress plugin. By manipulating the object key exposed in the plugin’s URLs, an attacker can traverse or access content that should be restricted, potentially reading or modifying unpublished job listings or sensitive data. This flaw is categorized as CWE‑639, highlighting that the application fails to enforce proper access control on objects identified by user input.

The flaw is present in all releases of the eyecix JobSearch WordPress plugin up to, but not including, version 3.0.6. An attacker targeting a site that hosts an affected version of the plugin could exploit the IDOR. The plugin is typically installed within WordPress sites that manage job listings, so any host running these versions is potentially impacted.

The CVSS base score of 4.3 indicates a low severity rating, and the EPSS score of less than 1% demonstrates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through normal HTTP requests to the plugin’s endpoints, which may be accessed by authenticated or unauthenticated users depending on site configuration. Exploiting the flaw usually requires knowledge of the object key and the ability to issue requests to the plugin’s front‑end or back‑end interfaces; no additional privileges or exploits are required beyond normal web interaction.