CVE-2026-49057: WordPress JobSearch plugin <= 3.2.7 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in JobSearch <= 3.2.7 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated broken access control vulnerability affects the WordPress JobSearch plugin at version 3.2.7 and below. The flaw is reachable over the network with no authentication required, meaning any remote party with HTTP access to the site can trigger it. Successful exploitation gives an attacker read access to protected data that should require authorization to view. HarborGuard is tracking this advisory for patch availability and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the JobSearch plugin. Any image containing an affected version of the plugin is flagged automatically across both registry scans and pipeline checks.
AvailableHarborGuard scores this vulnerability at CVSS 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and weights that score against each customer organization's compliance policy to determine priority. Findings are routed to the team inbox or ticketing integration configured for the affected environment.
AvailableNo fix version has been published upstream for this CVE. HarborGuard re-checks the advisory each ingest cycle, and a patched-image rebuild will become available automatically the moment EyeCix Technologies publishes a remediated release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will trigger without any manual step.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress site over the network via standard HTTP or HTTPS; no local or adjacent access is needed.
- AuthenticationNot required
No account or session token of any privilege level is needed to trigger the vulnerability.
- Victim interactionNot required
The attacker can exploit the flaw by sending a crafted request directly; no user action on the target site is needed.
- Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, special configuration, or environmental prerequisites.
Blast Radius
- An attacker reads data that the access control layer was meant to protect, such as job applicant records, user profile details, or other restricted content exposed by the plugin.
- No write or delete capability is indicated by the CVSS vector, so database rows and stored content are not directly modified through this flaw.
- Service availability is unaffected; the vulnerability does not enable denial-of-service or process disruption.
How HarborGuard Handles This
Available on HarborGuard: any image containing JobSearch 3.2.7 or earlier is flagged within minutes of the CVE entering the upstream feeds, with a CVSS 7.5 HIGH severity label applied and the finding routed per each organization's compliance policy. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will make a patched rebuild available automatically once EyeCix Technologies publishes a remediated version. In the interim, compensating controls worth considering include network-policy rules that restrict unauthenticated external access to sensitive plugin endpoints, WAF rules that block or challenge requests to the affected route, and feature-flag gating to disable the JobSearch plugin in environments where it is not actively needed.
- EyeCix Technologies / JobSearch≤ 3.2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N