CVE-2025-7782 is a vulnerability identified in the WP JobHunt plugin for WordPress, which is commonly used alongside the JobCareer theme to manage job applications. The root cause is a missing authorization check (CWE-862) in the 'cs_update_application_status_callback' function, which handles updates to the status of job applications. This missing capability check means that any authenticated user with Candidate-level access or higher can invoke this function to modify the 'status' parameter of job applications belonging to any user, not just their own. The vulnerability allows injection of cross-site scripting (XSS) payloads into the 'status' field, which can be used to execute arbitrary scripts in the context of the victim's browser. The CVSS 3.1 score of 7.6 indicates a high-severity issue with network attack vector, low complexity, requiring privileges but no user interaction, and impacts confidentiality (high), integrity (low), and availability (low). Although no known exploits have been reported in the wild, the vulnerability poses a significant risk due to the widespread use of WordPress and the popularity of the WP JobHunt plugin in recruitment websites. The lack of proper authorization checks means attackers can escalate privileges within the application context, potentially leading to data leakage, session hijacking, or further exploitation through XSS. The vulnerability affects all versions up to and including 7.7, and no official patches have been linked yet.

The primary impact of CVE-2025-7782 is unauthorized modification of job application statuses and injection of malicious scripts via XSS, which can compromise the confidentiality of user data and the integrity of application workflows. Attackers with Candidate-level access can manipulate application statuses of other users, potentially disrupting recruitment processes and causing reputational damage to organizations. The XSS component can lead to session hijacking, credential theft, or delivery of further malware, affecting both users and administrators. Availability impact is limited but possible if injected scripts disrupt normal plugin functionality. Organizations relying on WP JobHunt for recruitment may face data breaches, loss of user trust, and compliance issues, especially in regulated industries. The vulnerability's ease of exploitation and network accessibility increase the risk of widespread attacks if left unmitigated.

To mitigate CVE-2025-7782, organizations should immediately restrict access to the WP JobHunt plugin's application status update functionality to only trusted roles beyond Candidate-level, implementing custom capability checks if necessary. Until an official patch is released, administrators can apply temporary workarounds such as disabling the vulnerable callback function via WordPress hooks or filters, or employing Web Application Firewalls (WAFs) to detect and block suspicious requests targeting the 'cs_update_application_status_callback'. Regularly audit user roles and permissions to ensure minimal privilege principles are enforced. Additionally, sanitize and validate all inputs related to job application statuses to prevent XSS injection. Monitoring logs for unusual activity related to application status updates can help detect exploitation attempts. Finally, maintain up-to-date backups and prepare incident response plans specific to WordPress plugin vulnerabilities.