Platform
wordpress
Component
addon-jobsearch-chat
Fixed in
3.0.1
CVE-2026-25376 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in the Addon Jobsearch Chat WordPress plugin. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, data theft, or defacement. The vulnerability affects versions from 0.0.0 up to and including 3.0, and a fix is available in version 3.1.
An attacker could exploit this Reflected XSS vulnerability by crafting a malicious URL containing JavaScript code. When a user clicks on this URL, the injected script executes in their browser within the context of the Addon Jobsearch Chat plugin. This allows the attacker to steal cookies, redirect the user to a phishing site, or modify the content of the page. The impact is particularly severe if the plugin is used on sensitive pages or handles user authentication, as an attacker could potentially gain access to user accounts and sensitive data. The blast radius extends to all users who interact with the vulnerable plugin, especially those who click on links from untrusted sources.
CVE-2026-25376 was publicly disclosed on 2026-03-25. There are currently no known public proof-of-concept exploits available, but the ease of exploitation for Reflected XSS vulnerabilities means it is likely to be targeted. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 7.1 (HIGH) indicates a significant risk.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25376 is to immediately upgrade the Addon Jobsearch Chat plugin to version 3.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious URL parameters. Specifically, look for URL parameters containing JavaScript code or suspicious characters. Additionally, carefully review and sanitize all user input before displaying it on the page. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into a URL parameter and verifying that it does not execute.
Update to version 3.1, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25376 is a Reflected XSS vulnerability in the Addon Jobsearch Chat WordPress plugin, allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using Addon Jobsearch Chat versions 0.0.0 through 3.0. Upgrade to version 3.1 or later to mitigate the risk.
Upgrade the Addon Jobsearch Chat plugin to version 3.1 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
While no public exploits are currently known, the ease of exploitation suggests it may be targeted. Monitor your systems for suspicious activity.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.