How is CVE-2026-54186 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP/HTTPS to exploit this flaw. Authentication (not-required): No account or session token is needed; the injection is reachable by any unauthenticated HTTP request. Victim interaction (not-required): No victim action is required; the attacker sends crafted requests directly to the affected endpoint without any user involvement. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions.

What is the impact of CVE-2026-54186?

Attacker reads arbitrary data from the WordPress database, including user credentials, password hashes, email addresses, and any stored job-seeker or employer records managed by the plugin. The scoped impact (S:C) means data exposure can extend beyond the plugin's own tables to other data accessible by the database user, potentially including records from other plugins or WordPress core tables. The attacker causes limited disruption to database availability, consistent with a low availability impact rating, which may manifest as degraded query performance or intermittent errors for site visitors.

Back to search

CRITICALCVE-2026-54186Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-54186: WordPress JobSearch plugin <= 3.2.9 - SQL Injection vulnerability

Q: What is CVE-2026-54186?

This is a SQL injection vulnerability in the WordPress JobSearch plugin (versions 3.2.9 and below). The flaw is reachable over the network with no authentication required, meaning any internet-facing WordPress site running an affected version is exposed. Successful exploitation gives an attacker the ability to read data from the underlying database and cause limited service disruption. HarborGuard is tracking the advisory for patch availability as no fix version has been published.

Q: Is CVE-2026-54186 patched?

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment eyecix publishes a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Unauthenticated SQL Injection in JobSearch <= 3.2.9 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a SQL injection vulnerability in the WordPress JobSearch plugin (versions 3.2.9 and below). The flaw is reachable over the network with no authentication required, meaning any internet-facing WordPress site running an affected version is exposed. Successful exploitation gives an attacker the ability to read data from the underlying database and cause limited service disruption. HarborGuard is tracking the advisory for patch availability as no fix version has been published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the JobSearch plugin. Any image layer carrying an affected version of eyecix/JobSearch at or below 3.2.9 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 9.3 CRITICAL (CVSS v3.1) and weights findings against each customer environment's compliance policy to surface priority. Alerts are routed to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment eyecix publishes a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP/HTTPS to exploit this flaw.
AuthenticationNot required
No account or session token is needed; the injection is reachable by any unauthenticated HTTP request.
Victim interactionNot required
No victim action is required; the attacker sends crafted requests directly to the affected endpoint without any user involvement.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions.

Blast Radius

Attacker reads arbitrary data from the WordPress database, including user credentials, password hashes, email addresses, and any stored job-seeker or employer records managed by the plugin.
The scoped impact (S:C) means data exposure can extend beyond the plugin's own tables to other data accessible by the database user, potentially including records from other plugins or WordPress core tables.
The attacker causes limited disruption to database availability, consistent with a low availability impact rating, which may manifest as degraded query performance or intermittent errors for site visitors.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored continuously against all customer images that include the eyecix/JobSearch plugin at or below version 3.2.9. Because no upstream fix exists yet, HarborGuard tracks the Patchstack advisory on every ingest cycle and will automatically trigger a patched-image rebuild the moment a remediated version is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy rules that restrict direct database access from the web tier, web application firewall rules targeting SQL injection patterns on JobSearch endpoints, and feature-flag or plugin-deactivation gating on environments where the job-search functionality is non-critical. Customers who want to act immediately should evaluate disabling or replacing the plugin until an upstream patch is available.

See how HarborGuard automates this

Affected packages

eyecix / JobSearch
≤ 3.2.9

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified