CVE-2026-24979
Received Received - Intake
Reflected XSS in Jobica Core ≀ 1.4.1 Enables Code Injection

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Jobica Core jobica-core allows Reflected XSS.This issue affects Jobica Core: from n/a through <= 1.4.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24979
EUVD
EUVD-2026-15598
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nootheme jobica_core to 1.4.1 (inc)
nootheme jobica_core From 1.0.0 (inc) to 1.4.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-site Scripting (XSS) issue found in NooTheme Jobica Core, specifically in versions up to and including 1.4.1. It occurs due to improper neutralization of input during web page generation, which allows an attacker to inject malicious scripts that are reflected back to users.

Impact Analysis

The vulnerability can allow attackers to execute malicious scripts in the context of the affected web application. This can lead to theft of user credentials, session hijacking, defacement of the website, or redirection to malicious sites, potentially compromising user data and trust.

Compliance Impact

CVE-2026-24979 is a reflected Cross Site Scripting (XSS) vulnerability that allows attackers to inject malicious scripts into websites running the vulnerable Jobica Core Plugin. Such vulnerabilities can lead to unauthorized access, data manipulation, or exposure of sensitive information.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities like reflected XSS can potentially impact compliance by exposing personal or sensitive data to attackers, violating data protection requirements.

Organizations using the affected plugin should promptly update to version 1.4.2 or later to mitigate risks and help maintain compliance with relevant security and privacy regulations.

Detection Guidance

CVE-2026-24979 is a reflected Cross Site Scripting (XSS) vulnerability in the WordPress Jobica Core Plugin up to version 1.4.1. Detection typically involves identifying malicious script injections or unusual HTTP requests targeting the vulnerable plugin endpoints.

While no specific commands are provided in the resources, common detection methods include monitoring web server logs for suspicious query parameters or payloads, using web vulnerability scanners that test for reflected XSS, and inspecting HTTP requests for injected scripts.

  • Use tools like OWASP ZAP or Burp Suite to scan the website for reflected XSS vulnerabilities.
  • Check web server access logs for unusual URL parameters containing script tags or encoded payloads.
  • Run curl commands to test for reflected XSS by injecting script payloads in URL parameters and observing the response.
Mitigation Strategies

The primary immediate mitigation step is to update the Jobica Core Plugin to version 1.4.2 or later, where the vulnerability is resolved.

Until the update can be applied, it is recommended to implement the mitigation rule provided by Patchstack to block attacks targeting this vulnerability.

Additionally, enabling automatic mitigation and auto-update features for vulnerable plugins can enhance protection against exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24979. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart