CVE-2025-7374 is a medium-severity authorization bypass vulnerability identified in the WP JobHunt plugin for WordPress, which is commonly bundled with the JobCareer theme. The vulnerability affects all versions up to and including 7.6. It stems from improper authorization checks that fail to enforce login restrictions on accounts marked as inactive or pending. As a result, authenticated users with roles such as Candidate or Employer can bypass these restrictions and successfully log in despite their account status. This flaw is categorized under CWE-863 (Incorrect Authorization). The vulnerability does not require user interaction and can be exploited remotely over the network by users with valid credentials, making it a privilege escalation within the application context. The CVSS 3.1 base score of 5.4 reflects a moderate impact primarily on confidentiality and integrity, as unauthorized access to inactive accounts could expose sensitive candidate or employer data or allow unauthorized actions within the site. Availability is not impacted. No public exploits have been reported yet, but the vulnerability's presence in a widely used plugin makes it a potential target. The lack of a patch link suggests that a fix may not yet be available, emphasizing the need for interim mitigations. The vulnerability highlights the importance of robust authorization logic in multi-role web applications, especially those handling sensitive recruitment data.

The primary impact of CVE-2025-7374 is unauthorized access to accounts that should be restricted due to inactive or pending status. This can lead to exposure of sensitive personal and business information stored within the WP JobHunt plugin, including candidate resumes, employer job postings, and potentially private communications. Attackers with Candidate or Employer roles could perform actions reserved for active users, potentially manipulating job applications or postings. Although the vulnerability does not directly affect system availability, the integrity and confidentiality of recruitment data are at risk. Organizations relying on WP JobHunt for their recruitment portals may face reputational damage, data privacy violations, and compliance issues if exploited. The requirement for authentication limits the attack surface to users who already have some level of access, but the bypass of account status checks effectively escalates their privileges. This could facilitate insider threats or abuse by compromised accounts. Given the widespread use of WordPress and the popularity of job-related plugins, the vulnerability could affect a significant number of organizations globally, especially those in sectors with active hiring processes.

Until an official patch is released, organizations should implement the following mitigations: 1) Manually enforce account status checks at the application or web server level to block login attempts from inactive or pending accounts. 2) Restrict user roles with Candidate or Employer access to only trusted personnel and monitor their login activities closely for anomalies. 3) Employ multi-factor authentication (MFA) to reduce the risk of compromised credentials being used to exploit this vulnerability. 4) Regularly audit user accounts and promptly deactivate or remove inactive or pending accounts to minimize the pool of vulnerable accounts. 5) Use web application firewalls (WAFs) to detect and block suspicious login attempts that may indicate exploitation attempts. 6) Monitor logs for unusual access patterns, especially logins from accounts that should be inactive or pending. 7) Stay updated with vendor announcements and apply patches immediately once available. 8) Consider isolating the WP JobHunt plugin or restricting its access to internal networks if feasible. These steps go beyond generic advice by focusing on compensating controls tailored to the specific authorization bypass nature of this vulnerability.