CVE-2025-7374

MEDIUM

WP JobHunt <= 7.6 - Authenticated Authorization Bypass via Inactive Account Login

Title source: llm

Description

The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to authorization bypass in all versions up to, and including, 7.6. This is due to insufficient login restrictions on inactive and pending accounts. This makes it possible for authenticated attackers, with Candidate- and Employer-level access and above, to log in to the site even if their account is inactive or pending.

References (2)

Core 2

Core References

Various Sources

https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/12643dd9-3b5e-45ea-9a64-a5b00c9202c8?source=cve

Scores

CVSS v3 5.4

EPSS 0.0018

EPSS Percentile 7.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (2)

None/WP JobHunt < 7.6

n/a/WP JobHunt < 7.6

Published Oct 10, 2025

Tracked Since Feb 18, 2026