CVE-2025-6585 is a critical vulnerability found in the WP JobHunt plugin for WordPress, affecting all versions up to and including 7.2. The root cause is improper input validation (CWE-20) in the cs_remove_profile_callback() function, which handles user profile deletion requests. Specifically, the function fails to validate a user-controlled key parameter, leading to an Insecure Direct Object Reference (IDOR) vulnerability. This flaw allows any authenticated user with at least Subscriber-level privileges to craft requests that delete other users' accounts, including those with administrative privileges. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network, as indicated by the CVSS vector (AV:N/AC:L/PR:L/UI:N). The impact is severe, compromising the integrity and availability of user accounts, potentially leading to denial of service for administrators and loss of control over the WordPress site. Although no public exploits are currently known, the high CVSS score (8.1) and the nature of the vulnerability make it a significant threat. No official patches have been released yet, increasing the urgency for organizations to implement interim mitigations. The vulnerability was publicly disclosed on July 22, 2025, with Wordfence as the assigner. Given the widespread use of WordPress and the popularity of WP JobHunt for recruitment sites, this vulnerability poses a substantial risk to many websites globally.

The vulnerability allows authenticated users with minimal privileges (Subscriber-level) to delete any user account, including administrators. This can lead to complete loss of administrative control over the affected WordPress site, resulting in denial of service and potential site takeover if administrative accounts are removed or locked out. The integrity of user data is compromised as attackers can arbitrarily remove accounts, disrupting business operations, user access, and trust. Availability is also impacted since critical user accounts can be deleted, potentially causing site outages or loss of functionality. Organizations relying on WP JobHunt for recruitment or job board functionality may face operational disruptions and reputational damage. The ease of exploitation (low complexity, no user interaction) combined with the broad scope of affected versions increases the likelihood of exploitation once public exploits emerge. This vulnerability is particularly dangerous in multi-user environments where many users have Subscriber-level access, such as community or job portal websites.

Until an official patch is released, organizations should implement the following mitigations: 1) Restrict Subscriber-level user permissions to the minimum necessary, potentially disabling account deletion capabilities for these users via custom role modifications or capability restrictions. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the cs_remove_profile_callback() function or containing unexpected user ID parameters. 3) Monitor logs for unusual account deletion activity, especially deletions initiated by Subscriber-level users. 4) Consider temporarily disabling or uninstalling the WP JobHunt plugin if feasible, especially on high-risk or critical sites. 5) Implement additional input validation at the web server or application level to verify user identity before processing deletion requests. 6) Stay alert for official patches or updates from the WP JobHunt developers and apply them promptly once available. 7) Educate site administrators about the risk and encourage regular backups of user data to enable recovery in case of account deletions.