CVE-2025-7782 is a vulnerability classified under CWE-862 (Missing Authorization) found in the WP JobHunt plugin for WordPress, which is commonly used alongside the JobCareer theme. The vulnerability exists because the 'cs_update_application_status_callback' function does not perform adequate capability checks before allowing status updates on job applications. This flaw permits any authenticated user with Candidate-level access or higher to modify the 'status' parameter of job applications belonging to any user, bypassing intended authorization controls. The vulnerability enables injection of cross-site scripting (XSS) payloads into the status field, which can be used to execute malicious scripts in the context of the victim's browser. The CVSS v3.1 score is 7.6 (high), reflecting network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality (high), integrity (low), and availability (low). Although no exploits are currently known in the wild, the vulnerability poses a significant risk due to the widespread use of WordPress and the WP JobHunt plugin in recruitment websites. Attackers could leverage this to manipulate application statuses, inject malicious scripts, and potentially pivot to further attacks within the affected environment.

For European organizations, especially those operating recruitment or HR platforms using WordPress with the WP JobHunt plugin, this vulnerability could lead to unauthorized data manipulation, undermining the integrity of job application records. The XSS injection capability could facilitate session hijacking, credential theft, or delivery of malware to users interacting with the affected application. Confidentiality is at high risk as attackers can manipulate data visible to other users or administrators. Availability impact is low but possible if attackers disrupt application workflows or cause application errors. The breach of trust in recruitment platforms could damage organizational reputation and lead to regulatory scrutiny under GDPR if personal data is compromised. Given the network-exploitable nature and low complexity, attackers with basic authenticated access could exploit this vulnerability, increasing the threat surface for European organizations reliant on these platforms.

Organizations should immediately audit their WordPress installations to identify the presence of the WP JobHunt plugin and verify the version in use. Until an official patch is released, restrict user roles to the minimum necessary privileges, especially limiting Candidate-level users from accessing functions that modify application statuses. Implement web application firewalls (WAFs) with custom rules to detect and block anomalous requests targeting the 'cs_update_application_status_callback' endpoint, particularly those attempting to inject scripts into the 'status' parameter. Conduct thorough input validation and sanitization on all user-supplied data fields within the application. Monitor logs for unusual activity related to job application status updates. Educate administrators and developers about the vulnerability to ensure rapid patch deployment once available. Additionally, consider isolating the recruitment platform from other critical systems to limit lateral movement in case of compromise.