{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7374", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-08T22:51:00.471Z", "datePublished": "2025-10-10T11:17:08.050Z", "dateUpdated": "2026-04-08T16:36:24.253Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:24.253Z"}, "affected": [{"vendor": "n/a", "product": "WP JobHunt", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to authorization bypass in all versions up to, and including, 7.6. This is due to insufficient login restrictions on inactive and pending accounts. This makes it possible for authenticated attackers, with Candidate- and Employer-level access and above, to log in to the site even if their account is inactive or pending."}], "title": "WP JobHunt <= 7.6 Authenticated (Custom+) Authorization Bypass", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/12643dd9-3b5e-45ea-9a64-a5b00c9202c8?source=cve"}, {"url": "https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-863 Incorrect Authorization", "cweId": "CWE-863", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "meghnine islem"}], "timeline": [{"time": "2025-10-09T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-10T12:01:39.474255Z", "id": "CVE-2025-7374", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-10T12:01:46.739Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7374", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-10T12:01:39.474255Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-10T12:01:43.202Z"}}], "cna": {"title": "WP JobHunt <= 7.6 Authenticated (Custom+) Authorization Bypass", "credits": [{"lang": "en", "type": "finder", "value": "meghnine islem"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "n/a", "product": "WP JobHunt", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "7.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-09T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/12643dd9-3b5e-45ea-9a64-a5b00c9202c8?source=cve"}, {"url": "https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636"}], "descriptions": [{"lang": "en", "value": "The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to authorization bypass in all versions up to, and including, 7.6. This is due to insufficient login restrictions on inactive and pending accounts. This makes it possible for authenticated attackers, with Candidate- and Employer-level access and above, to log in to the site even if their account is inactive or pending."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:24.253Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7374", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:36:24.253Z", "dateReserved": "2025-07-08T22:51:00.471Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-10T11:17:08.050Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to authorization bypass in all versions up to, and including, 7.6. This is due to insufficient login restrictions on inactive and pending accounts. This makes it possible for authenticated attackers, with Candidate- and Employer-level access and above, to log in to the site even if their account is inactive or pending."}], "id": "CVE-2025-7374", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-10T12:15:37.937", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/12643dd9-3b5e-45ea-9a64-a5b00c9202c8?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:50:46.607382+00:00", "value": {"mitigation_remediation": ["Upgrade WP JobHunt to version\u00a07.7\u00a0or later, which removes the flawed status check. ", "If an update cannot be applied immediately, add a temporary authentication filter or a secondary plugin that blocks login attempts for accounts marked inactive or pending until the official fix is in place. ", "Audit all user accounts on the site, deactivate or delete any that remain inactive or pending, and enforce a periodic review policy to prevent stale credentials from being exploited."], "summary": {"action": "Apply Patch", "impact": "Unauthorized login through inactive or pending accounts"}, "threat_synthesis": {"affected_systems": "Affected systems are WordPress sites using the WP JobHunt plugin version 7.6 or earlier, which includes all earlier releases up to and including 7.6. Sites that host the JobCareer theme\u2014one of the major implementations of WP JobHunt\u2014are impacted.", "description_and_impact": "The WP JobHunt plugin implements an authorization check that fails to enforce the account status when a user attempts to log in.\nAny authenticated attacker possessing Candidate or Employer privileges can force a successful login even when the account is inactive or pending, allowing them to perform subsequent actions as that user.\nThis flaw corresponds to CWE\u2011863, which identifies insufficient authorization controls that permit unauthorized access to protected resources.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity, while the EPSS < 1% suggests a low probability of exploitation in the wild. The vulnerability does not allow remote code execution or privilege escalation beyond the authenticated role, but it does enable an attacker to reuse existing credentials on inactive accounts, which can facilitate persistence or credential stuffing attacks. The risk is mitigated by the requirement that the attacker already holds a valid user credential, and the vulnerability is not listed in CISA\u2019s KEV catalog."}}}}, "created": "2025-10-21T13:14:13.696321+00:00", "updated": "2026-04-22T17:00:12.323481+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wp-jobhunt_project", "wp-jobhunt_project$PRODUCT$wp-jobhunt"]}