CVE-2025-7733 is an authorization bypass vulnerability in the WP JobHunt plugin for WordPress, which is commonly used alongside the JobCareer theme. The vulnerability arises from an insecure direct object reference (IDOR) due to missing validation on a user-controlled key parameter within the 'cs_update_application_status_callback' function. This flaw allows authenticated users with Candidate-level access or higher to manipulate the key parameter to bypass authorization checks. Consequently, attackers can trigger the plugin to send site-generated emails containing injected HTML content to any user on the site. The injected HTML can be used for phishing, social engineering, or other malicious purposes, potentially deceiving recipients into taking harmful actions. The vulnerability does not expose sensitive data directly nor does it disrupt service availability, but it compromises the integrity of communications sent by the site. The CVSS v3.1 base score is 4.3, reflecting network attack vector, low attack complexity, required privileges (low), no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and no availability impact. No patches or official fixes have been published as of the vulnerability disclosure date, and no known exploits have been detected in the wild. The vulnerability affects all versions of WP JobHunt up to and including 7.7, making it broadly applicable to sites using this plugin. The flaw is categorized under CWE-639, which involves authorization bypass through user-controlled keys, highlighting the importance of validating user inputs that control access decisions.

The primary impact of CVE-2025-7733 is the unauthorized sending of site-generated emails containing attacker-injected HTML to arbitrary users. This can facilitate phishing attacks, social engineering, or the distribution of malicious content under the guise of legitimate site communications. While the vulnerability does not directly expose confidential information or disrupt service availability, it undermines the integrity and trustworthiness of communications sent from affected WordPress sites. Organizations relying on WP JobHunt for recruitment or job application management risk reputational damage if attackers exploit this flaw to deceive users. The attack requires authenticated access at the Candidate level or above, which limits exposure to internal or registered users rather than anonymous internet users. However, since Candidate-level access is typically granted to job applicants, attackers could be external users who have registered accounts. The vulnerability's exploitation could lead to increased phishing success rates and potential credential theft or malware infections among users receiving manipulated emails. No known active exploitation reduces immediate risk, but the lack of patches means the vulnerability remains exploitable. The impact is thus moderate but significant for organizations with large user bases or sensitive recruitment workflows.

To mitigate CVE-2025-7733, organizations should immediately review and restrict permissions for Candidate-level users to the minimum necessary, limiting their ability to trigger the vulnerable callback. Administrators should monitor outgoing emails for suspicious content and implement email filtering to detect and block injected HTML or phishing attempts. Until an official patch is released, consider disabling or replacing the WP JobHunt plugin if feasible, or applying custom code fixes that validate and sanitize the user-controlled key parameter in the 'cs_update_application_status_callback' function. Employ web application firewalls (WAFs) with rules targeting unusual parameter manipulation in WP JobHunt endpoints. Conduct regular audits of user roles and capabilities to ensure no excessive privileges are granted. Educate users to recognize phishing emails and report suspicious communications. Stay informed on updates from the plugin vendor and apply patches promptly once available. Additionally, implement Content Security Policy (CSP) headers to reduce the impact of injected HTML in emails and web pages. For organizations unable to immediately patch or disable the plugin, consider isolating the WordPress instance or restricting access to the application status update functionality to trusted IP ranges.