CVE-2025-7374 - Vulnerability Details

- WP JobHunt <= 7.6 Authenticated (Custom+) Authorization Bypass

Description

The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to authorization bypass in all versions up to, and including, 7.6. This is due to insufficient login restrictions on inactive and pending accounts. This makes it possible for authenticated attackers, with Candidate- and Employer-level access and above, to log in to the site even if their account is inactive or pending.

Published: 2025-10-10

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The WP JobHunt plugin implements an authorization check that fails to enforce the account status when a user attempts to log in. Any authenticated attacker possessing Candidate or Employer privileges can force a successful login even when the account is inactive or pending, allowing them to perform subsequent actions as that user. This flaw corresponds to CWE‑863, which identifies insufficient authorization controls that permit unauthorized access to protected resources.

Affected Systems

Affected systems are WordPress sites using the WP JobHunt plugin version 7.6 or earlier, which includes all earlier releases up to and including 7.6. Sites that host the JobCareer theme—one of the major implementations of WP JobHunt—are impacted.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, while the EPSS < 1% suggests a low probability of exploitation in the wild. The vulnerability does not allow remote code execution or privilege escalation beyond the authenticated role, but it does enable an attacker to reuse existing credentials on inactive accounts, which can facilitate persistence or credential stuffing attacks. The risk is mitigated by the requirement that the attacker already holds a valid user credential, and the vulnerability is not listed in CISA’s KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

WP JobHunt

unaffected

Version	Status	Constraints
`0`	affected	≤ 7.6

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—
Wp-jobhunt Project	Wp-jobhunt	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade WP JobHunt to version 7.7 or later, which removes the flawed status check.
If an update cannot be applied immediately, add a temporary authentication filter or a secondary plugin that blocks login attempts for accounts marked inactive or pending until the official fix is in place.
Audit all user accounts on the site, deactivate or delete any that remain inactive or pending, and enforce a periodic review policy to prevent stale credentials from being exploited.

Generated by OpenCVE AI on April 22, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00034.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636
https://www.wordfence.com/threat-intel/vulnerabilities/id/12643dd9-3b5e-45ea-9a64-a5b00c9202c8?source=cve

History

Tue, 21 Oct 2025 13:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress Wp-jobhunt Project Wp-jobhunt Project wp-jobhunt
Vendors & Products		Wordpress Wordpress wordpress Wp-jobhunt Project Wp-jobhunt Project wp-jobhunt

Fri, 10 Oct 2025 12:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 10 Oct 2025 11:30:00 +0000

Type	Values Removed	Values Added
Description		The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to authorization bypass in all versions up to, and including, 7.6. This is due to insufficient login restrictions on inactive and pending accounts. This makes it possible for authenticated attackers, with Candidate- and Employer-level access and above, to log in to the site even if their account is inactive or pending.
Title		WP JobHunt <= 7.6 Authenticated (Custom+) Authorization Bypass
Weaknesses		CWE-863
References		https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636 https://www.wordfence.com/threat-intel/vulnerabilities/id/12643dd9-3b5e-45ea-9a64-a5b00c9202c8?source=cve
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

Wp-jobhunt Project Wp-jobhunt

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-10-10T11:17:08.050Z

Updated: 2026-04-08T16:36:24.253Z

Reserved: 2025-07-08T22:51:00.471Z

Link: CVE-2025-7374

Vulnrichment

Updated: 2025-10-10T12:01:43.202Z

NVD

Status : Deferred

Published: 2025-10-10T12:15:37.937

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7374

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T17:00:12Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object