The vulnerability is a reflected XSS flaw (CWE‑79) caused by improper neutralization of user input when generating web pages for the WordPress JobSearch plugin. When an attacker crafts a URL or form submission containing malicious JavaScript, the content is echoed back into the page without adequate encoding. This flaw permits arbitrary script execution in the context of a victim’s browser, enabling session hijacking, cookie theft, or defacement of the site’s content. The CVSS score of 7.1 places the issue in the high‑severity range.

All installations of the eyecix JobSearch WordPress plugin older than version 3.0.6 are affected. The vulnerability applies to every instance where the plugin processes user-supplied query or search parameters that are rendered on the page. Site owners running any of those older plugin versions should review their deployment immediately.

The EPSS score of less than 1% indicates a low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the high CVSS score and the fact that the attack requires only a crafted URL that can be shared through email or social media mean that any site with public access to the plugin endpoint is at risk. The attack vector is likely reflected via GET or POST parameters that the plugin reflects back in the HTML without proper escaping. Because no privilege escalation is needed, any authenticated or unauthenticated visitor can be targeted.