CVE-2025-7374
📋 TL;DR
The WP JobHunt plugin for WordPress (used by JobCareer theme) has an authorization bypass vulnerability that allows authenticated attackers with Candidate- or Employer-level access to log in even when their accounts are marked as inactive or pending. This affects all versions up to and including 7.6. WordPress sites using this plugin/theme are vulnerable.
💻 Affected Systems
- WP JobHunt WordPress plugin
- JobCareer WordPress theme
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could gain unauthorized access to sensitive job application data, employer information, or administrative functions depending on plugin permissions, potentially leading to data theft, privilege escalation, or site compromise.
Likely Case
Unauthorized users bypass account approval processes, accessing restricted areas meant for approved users only, potentially viewing confidential job postings or candidate information.
If Mitigated
With proper monitoring and access controls, impact is limited to unauthorized access to specific plugin functionality without broader system compromise.
🎯 Exploit Status
Requires attacker to have valid credentials for an inactive/pending account. No special tools needed beyond web browser.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 7.6
Vendor Advisory: https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636
Restart Required: No
Instructions:
1. Update WP JobHunt plugin to latest version (above 7.6). 2. If using JobCareer theme, update to latest version. 3. Verify plugin/theme updates in WordPress admin panel.
🔧 Temporary Workarounds
Disable vulnerable plugin
WordPressTemporarily disable WP JobHunt plugin until patched
wp plugin deactivate wp-jobhunt
Restrict user registration
WordPressDisable new user registrations to prevent creation of vulnerable accounts
Update WordPress Settings > General: uncheck 'Anyone can register'
🧯 If You Can't Patch
- Implement strict access monitoring for Candidate and Employer user roles
- Manually review and disable all inactive/pending accounts in WordPress user management
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > WP JobHunt version. If version is 7.6 or lower, system is vulnerable.Check Version:
wp plugin get wp-jobhunt --field=versionVerify Fix Applied:
After update, verify WP JobHunt version is above 7.6. Test with inactive account to confirm login is properly blocked.📡 Detection & Monitoring
Log Indicators:
- Successful logins from accounts with 'inactive' or 'pending' status in WordPress user logs
- Unusual access patterns from Candidate/Employer roles outside normal business hours
Network Indicators:
- HTTP POST requests to wp-login.php or plugin-specific authentication endpoints from previously inactive accounts
SIEM Query:
source="wordpress" (user_status="inactive" OR user_status="pending") AND event="login_success"