CVE-2025-62025

eyecix · JobSearch

A deserialization of untrusted data vulnerability in the eyecix JobSearch WordPress plugin allows for potential remote code execution.

Executive summary

The JobSearch plugin for WordPress is vulnerable to a critical deserialization flaw that could allow an unauthenticated attacker to execute arbitrary code on the host server.

Vulnerability

This vulnerability involves the insecure deserialization of untrusted data within the JobSearch plugin, which can be leveraged by an unauthenticated attacker to manipulate serialized objects and achieve remote code execution.

Business impact

Successful exploitation of this vulnerability poses a severe risk, as it allows attackers to gain full control over the affected WordPress instance. With a CVSS score of 9.8, this flaw represents a critical threat to data confidentiality, integrity, and availability, potentially leading to total system compromise and unauthorized access to sensitive applicant or employer data.

Remediation

Immediate Action: Update the JobSearch plugin to version 3.0.8 or later immediately to mitigate the deserialization risk.

Proactive Monitoring: Review web server and WordPress access logs for unusual POST requests or patterns indicative of serialized object manipulation.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common deserialization attack vectors targeting WordPress plugins.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

Given the critical CVSS severity of 9.8, administrators must prioritize patching this plugin immediately. Failure to update leaves the application exposed to trivial remote code execution attacks that do not require authentication.