CVE-2025-7374 identifies an authorization bypass vulnerability in the WP JobHunt plugin for WordPress, which is widely used in conjunction with the JobCareer theme to manage job listings and candidate/employer accounts. The flaw arises from insufficient login restrictions on accounts that are inactive or pending approval. Specifically, authenticated users with roles such as Candidate or Employer can bypass these restrictions and successfully log in even if their account status should prevent access. This vulnerability is classified under CWE-863 (Incorrect Authorization), indicating a failure to properly enforce access control policies. The vulnerability affects all versions up to and including 7.6 of WP JobHunt. The CVSS 3.1 base score is 5.4 (medium severity), with an attack vector of network (remote exploitation), low attack complexity, requiring privileges (authenticated users), no user interaction, and impacting confidentiality and integrity but not availability. Although no public exploits have been reported yet, the flaw could allow attackers to access sensitive user data or perform unauthorized actions within the site, undermining trust and data integrity. The vulnerability is particularly concerning for websites that rely heavily on user role management and account status enforcement to control access to sensitive job-related data and user profiles.

For European organizations, the impact of this vulnerability can be significant, especially for those operating job boards, recruitment platforms, or HR portals using the WP JobHunt plugin. Unauthorized access by users with inactive or pending accounts could lead to exposure of personal data, including candidate resumes, employer details, and job listings. This compromises confidentiality and integrity of sensitive information. Attackers might manipulate account data or perform actions reserved for active users, potentially disrupting recruitment workflows or damaging organizational reputation. Given the GDPR regulations in Europe, any data breach resulting from exploitation could lead to regulatory penalties and loss of customer trust. The medium severity score reflects moderate risk, but the ease of exploitation by authenticated users makes it a practical threat. Organizations with high volumes of user registrations and role-based access controls are particularly vulnerable to exploitation. The absence of known exploits in the wild suggests a window for proactive mitigation before widespread attacks occur.

1. Monitor WP JobHunt plugin updates closely and apply patches immediately once released to address this vulnerability. 2. Until an official patch is available, implement custom access control checks in the WordPress environment to enforce account status restrictions rigorously, preventing inactive or pending users from logging in. 3. Review and tighten user role permissions to minimize privileges granted to Candidate and Employer roles, limiting potential damage if exploited. 4. Enable detailed logging and monitoring of login attempts, especially from accounts with inactive or pending status, to detect suspicious activity early. 5. Conduct regular audits of user accounts and remove or deactivate stale or suspicious accounts promptly. 6. Educate site administrators on the risks of this vulnerability and encourage vigilance in user management. 7. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block anomalous login behavior related to this flaw. 8. Backup site data regularly to ensure recovery capability in case of compromise.