{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7782", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-17T23:41:00.886Z", "datePublished": "2025-12-20T13:47:43.316Z", "dateUpdated": "2026-04-08T17:15:28.433Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:15:28.433Z"}, "affected": [{"vendor": "n/a", "product": "WP JobHunt", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to unauthorized modification of data due to a missing capability check on the 'cs_update_application_status_callback' function in all versions up to, and including, 7.7. This makes it possible for authenticated attackers, with Candidate-level access and above, to inject cross-site scripting into the 'status' parameter of applied jobs for any user."}], "title": "WP JobHunt <= 7.7 - Missing Authorization to Authenticated (Candidate+) Stored Cross-Site Scripting via 'status'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/af063570-43f7-4bf4-850c-21c3bff40ac1?source=cve"}, {"url": "https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "baseScore": 7.6, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "meghnine islem"}], "timeline": [{"time": "2025-12-20T01:30:15.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-22T15:56:42.241006Z", "id": "CVE-2025-7782", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T15:56:59.182Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7782", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-22T15:56:42.241006Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T15:56:46.507Z"}}], "cna": {"title": "WP JobHunt <= 7.7 - Missing Authorization to Authenticated (Candidate+) Stored Cross-Site Scripting via 'status'", "credits": [{"lang": "en", "type": "finder", "value": "meghnine islem"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.6, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L"}}], "affected": [{"vendor": "n/a", "product": "WP JobHunt", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "7.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-20T01:30:15.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/af063570-43f7-4bf4-850c-21c3bff40ac1?source=cve"}, {"url": "https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636"}], "descriptions": [{"lang": "en", "value": "The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to unauthorized modification of data due to a missing capability check on the 'cs_update_application_status_callback' function in all versions up to, and including, 7.7. This makes it possible for authenticated attackers, with Candidate-level access and above, to inject cross-site scripting into the 'status' parameter of applied jobs for any user."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-20T13:47:43.316Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7782", "state": "PUBLISHED", "dateUpdated": "2025-12-22T15:56:59.182Z", "dateReserved": "2025-07-17T23:41:00.886Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-20T13:47:43.316Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to unauthorized modification of data due to a missing capability check on the 'cs_update_application_status_callback' function in all versions up to, and including, 7.7. This makes it possible for authenticated attackers, with Candidate-level access and above, to inject cross-site scripting into the 'status' parameter of applied jobs for any user."}], "id": "CVE-2025-7782", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-20T14:16:03.770", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/af063570-43f7-4bf4-850c-21c3bff40ac1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T18:52:53.068901+00:00", "value": {"mitigation_remediation": ["Upgrade the WP JobHunt plugin to version\u202f7.8 or later, which includes a capability check for status updates.", "If an upgrade is not possible, temporarily revoke Candidate access to application status functionality or implement granular role permissions to block status updates.", "Apply server\u2011side sanitization or escape the status parameter before storing or displaying it, or use a WordPress security plugin that blocks malicious input or XSS payloads."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting via missing authorization"}, "threat_synthesis": {"affected_systems": "Affected is the WP JobHunt plugin for WordPress, also used by the JobCareer theme. All versions up to and including 7.7 contain the flaw. Any installation within those version ranges is vulnerable and can be exploited by users with Candidate\u2011level or higher permissions.", "description_and_impact": "Stored Cross\u2011Site Scripting via missing authorization is possible in the WP JobHunt plugin for WordPress when a candidate or higher user invokes a status update without an authorization check. The attacker can embed arbitrary JavaScript into the status field of a job application, which will execute whenever a user views that application. This can result in session hijacking, defacement, or theft of sensitive data, compromising confidentiality and integrity. The weakness is classified as a missing authorization flaw (CWE\u2011862).", "risk_and_exploitability": "The CVSS score is 7.6, indicating a high severity. The EPSS score is below 1%, suggesting a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. Attackers require an authenticated account with at least Candidate privilege, limiting the threat surface to registered site users. In such environments, the missing authorization allows a malicious candidate to inject XSS payloads into job application status data, achieving client\u2011side code execution."}}}}, "created": "2025-12-21T21:12:23.950852+00:00", "updated": "2026-04-20T19:00:10.688122+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wp-jobhunt_project", "wp-jobhunt_project$PRODUCT$wp-jobhunt"]}