Description
Deserialization of Untrusted Data vulnerability in eyecix JobSearch wp-jobsearch.This issue affects JobSearch: from n/a through < 3.0.8.
Published: 2025-10-22
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a PHP Object Injection flaw caused by deserialization of untrusted data within the JobSearch plugin for WordPress. By manipulating the serialized payload that the plugin accepts, an attacker can trigger the instantiation of arbitrary objects, which may lead to remote code execution. The primary impact is complete compromise of the affected WordPress site’s confidentiality, integrity, and availability, allowing an attacker to run arbitrary code on the web server.

Affected Systems

This flaw exists in all releases of the JobSearch plugin identified by the vendor eyecix, from the first available version up to, but not including, 3.0.8. WordPress sites that have installed any of these vulnerable plugin versions are at risk.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical level of severity. The EPSS score of less than 1% suggests that exploitation is currently unlikely, yet the existence of an unpatched DoS or remote code execution vector warrants immediate attention. The vulnerability is not listed in the CISA KEV catalog, but attackers can infer the attack vector as a remote, web‑based payload that exploits the plugin’s deserialization logic. No specialized prerequisites are mentioned beyond the ability to transmit crafted data to the plugin’s endpoints.

Generated by OpenCVE AI on April 29, 2026 at 16:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the JobSearch plugin to version 3.0.8 or later, which removes the vulnerability.
  • If an immediate update is not possible, disable all endpoints that accept serialized data within the plugin, for example by setting HTTP restrictions or using a .htaccess rule that blocks requests to the plugin’s URLs.
  • Deploy a web application firewall rule to detect and block malformed serialization payloads that could trigger PHP object injection attempts.

Generated by OpenCVE AI on April 29, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Eyecix
Eyecix jobsearch
Wordpress
Wordpress wordpress
Vendors & Products Eyecix
Eyecix jobsearch
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in eyecix JobSearch wp-jobsearch.This issue affects JobSearch: from n/a through < 3.0.8.
Title WordPress JobSearch plugin < 3.0.8 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Eyecix Jobsearch
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:48:19.539Z

Reserved: 2025-10-07T15:34:20.406Z

Link: CVE-2025-62025

cve-icon Vulnrichment

Updated: 2025-10-23T15:11:36.006Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:16:03.913

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-62025

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:30:15Z

Weaknesses