CVE-2025-7374 in WP JobHunt Plugin
Summary
by MITRE • 10/10/2025
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to authorization bypass in all versions up to, and including, 7.6. This is due to insufficient login restrictions on inactive and pending accounts. This makes it possible for authenticated attackers, with Candidate- and Employer-level access and above, to log in to the site even if their account is inactive or pending.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/10/2025
The WP JobHunt plugin represents a critical security vulnerability that undermines the authentication mechanisms of WordPress-based job portals utilizing the JobCareer theme. This authorization bypass flaw affects all plugin versions up to and including 7.6, creating a significant risk for organizations relying on the platform for recruitment and job listing services. The vulnerability specifically targets the plugin's handling of account status validation during the login process, allowing malicious actors to exploit weak access controls that should normally prevent inactive or pending user accounts from accessing system resources.
The technical implementation of this vulnerability stems from inadequate validation of user account states within the plugin's authentication flow. When users attempt to log in, the system fails to properly verify whether their accounts have been approved or activated before granting access. This weakness creates an operational pathway where attackers with Candidate or Employer level privileges can bypass normal account activation workflows and gain unauthorized access to protected resources. The flaw operates at the application layer and specifically targets the authentication subsystem, making it particularly dangerous as it allows attackers to maintain persistent access to job portal functionalities.
From an operational impact perspective, this vulnerability enables attackers to exploit the job portal's user management system to access sensitive recruitment data, job listings, and candidate information. The authorization bypass allows malicious actors to potentially manipulate job postings, view confidential candidate profiles, or interfere with recruitment processes. This creates significant business risks including data exposure, regulatory compliance violations, and potential reputational damage for organizations using the affected plugin. The vulnerability's impact extends beyond simple unauthorized access as it undermines the entire user validation and approval workflow that job portals depend upon for maintaining secure recruitment environments.
Security practitioners should prioritize immediate remediation through plugin updates to versions that address the authentication bypass vulnerability. Organizations should implement additional monitoring of login activities to detect unauthorized access attempts and establish more robust account approval workflows. The vulnerability aligns with CWE-285, which addresses authorization issues in software systems, and reflects ATT&CK technique T1078 for valid accounts, as attackers can leverage legitimate user credentials to access protected resources. Network segmentation and role-based access controls should be enhanced to limit the potential impact of compromised accounts, while regular security audits should verify that authentication mechanisms properly validate account status before granting system access.