CVE-2025-7733 is an authorization bypass vulnerability categorized under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the WP JobHunt plugin for WordPress, which is commonly used alongside the JobCareer theme. The vulnerability exists in all versions up to and including 7.7 and is due to insufficient validation of a user-controlled key parameter in the 'cs_update_application_status_callback' function. This flaw allows authenticated users with Candidate-level access or higher to manipulate the key parameter to bypass authorization controls. As a result, attackers can trigger the plugin to send site-generated emails containing attacker-injected HTML content to any user on the site. This capability can be abused to conduct phishing attacks or deliver malicious payloads via email, leveraging the trust users place in site-generated communications. The vulnerability does not require user interaction beyond authentication, and the attack vector is network-based with low attack complexity. The CVSS 3.1 score of 4.3 reflects a medium severity primarily due to the integrity impact (injected HTML in emails) without direct confidentiality or availability compromise. No known exploits have been reported in the wild, and no official patches have been released as of the publication date. The vulnerability highlights the risk of improper authorization checks in WordPress plugins, especially those handling user-generated content and communications.

For European organizations using the WP JobHunt plugin, this vulnerability poses a risk of internal phishing and social engineering attacks that can undermine user trust and lead to credential theft or further compromise. The ability for Candidate-level users to send crafted emails with injected HTML can facilitate targeted attacks against employees or job applicants, potentially exposing sensitive personal or corporate information. While the vulnerability does not directly impact system availability or confidentiality, the integrity of email communications is compromised, which can have cascading effects on organizational security posture. Recruitment platforms and HR departments relying on WP JobHunt are particularly at risk, as attackers could impersonate official communications to manipulate recipients. The lack of a patch increases the window of exposure, making timely mitigation essential. Additionally, regulatory compliance under GDPR may be affected if personal data is mishandled or if phishing leads to data breaches. The impact is heightened in sectors with high recruitment activity or where trust in email communications is critical.

1. Immediately restrict Candidate-level user permissions to the minimum necessary, avoiding granting access to functions that trigger email sending where possible. 2. Implement additional input validation and sanitization on the 'cs_update_application_status_callback' function to ensure user-controlled keys are properly validated before processing. 3. Monitor and audit email sending logs for unusual patterns or unexpected recipients to detect potential exploitation attempts. 4. Educate users, especially HR and recruitment staff, about the risk of phishing emails originating from internal systems and encourage verification of suspicious communications. 5. If feasible, temporarily disable or replace the WP JobHunt plugin until an official patch is released. 6. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable callback. 7. Coordinate with WordPress and plugin developers to track patch releases and apply updates promptly once available. 8. Review and tighten overall WordPress user role assignments to limit exposure to similar authorization bypass issues.