CVE-2025-39537 is a medium-severity vulnerability classified under CWE-639, which pertains to Authorization Bypass Through User-Controlled Key. This vulnerability affects the WordPress plugin WP JobHunt developed by Chimpstudio, specifically versions up to 7.1. The core issue arises from incorrectly configured access control security levels, allowing an attacker to bypass authorization mechanisms by manipulating user-controlled keys. This means that an attacker without any privileges (no authentication required) and without user interaction can remotely exploit this flaw over the network (AV:N), due to low attack complexity (AC:L). The vulnerability impacts confidentiality by potentially allowing unauthorized access to sensitive data or restricted functionalities within the WP JobHunt plugin, but it does not affect integrity or availability. The CVSS 3.1 base score is 5.3, reflecting a medium severity level. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was reserved in April 2025 and published in May 2025, indicating it is a recent discovery. The lack of authentication and user interaction requirements increases the risk of exploitation, especially on publicly accessible WordPress sites using the affected plugin. The vulnerability's nature suggests that attackers could gain unauthorized access to job listings, candidate information, or administrative functions managed by WP JobHunt, potentially leading to data leakage or unauthorized modifications within the plugin's scope.

For European organizations using the WP JobHunt plugin on their WordPress sites, this vulnerability poses a risk of unauthorized data exposure or unauthorized access to job recruitment functionalities. Organizations involved in recruitment, HR services, or job board hosting could see confidentiality breaches, potentially exposing candidate personal data or internal job posting details. While the vulnerability does not directly impact data integrity or availability, unauthorized access could facilitate further attacks or data harvesting. Given the GDPR regulations in Europe, any unauthorized access to personal data could lead to significant compliance issues and financial penalties. The fact that no authentication is required for exploitation increases the threat surface, especially for publicly accessible websites. Organizations relying on WP JobHunt for critical recruitment operations may face reputational damage if candidate or job data is leaked. Additionally, attackers could use this access to pivot to other parts of the WordPress environment if other vulnerabilities exist, increasing the overall risk.

1. Immediate mitigation should include disabling or uninstalling the WP JobHunt plugin until a security patch is released by Chimpstudio. 2. Monitor official Chimpstudio channels and WordPress plugin repositories for updates or patches addressing CVE-2025-39537 and apply them promptly. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting WP JobHunt endpoints, especially those attempting to manipulate user-controlled keys or access control parameters. 4. Conduct a thorough audit of user roles and permissions within WordPress to ensure least privilege principles are enforced, minimizing potential damage from unauthorized access. 5. Employ network segmentation and restrict administrative access to WordPress backend interfaces to trusted IPs where feasible. 6. Enable detailed logging and monitoring of access to WP JobHunt functionalities to detect anomalous activities early. 7. Educate site administrators about the risks of using outdated or unpatched plugins and encourage regular security reviews of all WordPress components.