CVE-2025-7374 MEDIUM

CVE-2025-7374: WP JobHunt <= 7.6 Authenticated (Custom+) Authorization Bypass

Vendor N/A
Product WP JobHunt
Weakness CWE-863 · Incorrect authorization
Published October 10, 2025
Last update April 8, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to authorization bypass in all versions up to, and including, 7.6. This is due to insufficient login restrictions on inactive and pending accounts. This makes it possible for authenticated attackers, with Candidate- and Employer-level access and above, to log in to the site even if their account is inactive or pending.

Explanation of Vulnerability in Simple Terms

02Summary

WP JobHunt versions 7.6 and earlier contain an authorization flaw that allows authenticated users to read or modify data they should not have access to. The vulnerability requires a valid user account but no special privileges. An attacker with low-level access can view or alter sensitive information within the plugin's scope.

What an attacker can do

03Attacker Capabilities

Read or modify data belonging to other users or restricted areas of the plugin.

Potential impact on your site

04Site Impact

Unauthorized users can access or change job listings, applications, or other plugin data they shouldn't see.

Conditions required to exploit

05Prerequisites

Attacker must have a valid user account with low-level privileges on the site.

Key dates

06Disclosure timeline

October 10, 2025 CVE published
April 8, 2026 Record updated