CVE-2025-7733: CWE-639 Authorization Bypass Through User-Controlled Key in WP JobHunt
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'cs_update_application_status_callback' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Candidate-level access and above, to send a site-generated email with injected HTML to any user.
AI Analysis
Technical Summary
CVE-2025-7733 is an authorization bypass vulnerability in the WP JobHunt plugin for WordPress, affecting all versions up to 7.7. The issue arises from an insecure direct object reference caused by missing validation on a user-controlled key within the 'cs_update_application_status_callback' function. This flaw enables authenticated users with Candidate-level privileges or above to send emails generated by the site that include injected HTML content to arbitrary users. The vulnerability is classified under CWE-639 and has a CVSS 3.1 base score of 4.3, indicating medium severity.
Potential Impact
An attacker with authenticated Candidate-level access or higher can exploit this vulnerability to send emails with injected HTML content to any user of the site. This could potentially be used for phishing or social engineering attacks leveraging the trusted email channel. There is no direct impact on confidentiality or availability reported, and no known active exploitation in the wild has been documented.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Candidate-level access to trusted users only and monitor for suspicious email activity. Avoid relying on the plugin's email functionality for sensitive communications. Follow updates from the WP JobHunt plugin vendor or WordPress security advisories for official patches or temporary mitigations.
CVE-2025-7733: CWE-639 Authorization Bypass Through User-Controlled Key in WP JobHunt
Description
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'cs_update_application_status_callback' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Candidate-level access and above, to send a site-generated email with injected HTML to any user.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-7733 is an authorization bypass vulnerability in the WP JobHunt plugin for WordPress, affecting all versions up to 7.7. The issue arises from an insecure direct object reference caused by missing validation on a user-controlled key within the 'cs_update_application_status_callback' function. This flaw enables authenticated users with Candidate-level privileges or above to send emails generated by the site that include injected HTML content to arbitrary users. The vulnerability is classified under CWE-639 and has a CVSS 3.1 base score of 4.3, indicating medium severity.
Potential Impact
An attacker with authenticated Candidate-level access or higher can exploit this vulnerability to send emails with injected HTML content to any user of the site. This could potentially be used for phishing or social engineering attacks leveraging the trusted email channel. There is no direct impact on confidentiality or availability reported, and no known active exploitation in the wild has been documented.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Candidate-level access to trusted users only and monitor for suspicious email activity. Avoid relying on the plugin's email functionality for sensitive communications. Follow updates from the WP JobHunt plugin vendor or WordPress security advisories for official patches or temporary mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-07-17T01:29:25.806Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6946aa3f987e301cd6415945
Added to database: 12/20/2025, 1:53:03 PM
Last enriched: 4/9/2026, 5:56:23 PM
Last updated: 5/10/2026, 10:31:17 AM
Views: 191
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.