CVE-2025-7374: 
WordPress vulnerability analysis and mitigation

The WP JobHunt plugin for WordPress (CVE-2025-7374), discovered on October 9, 2025, affects all versions up to and including 7.6. This vulnerability is specifically associated with the JobCareer theme and involves an authorization bypass issue. The vulnerability was publicly disclosed on October 10, 2025, and has been assigned a CVSS v3.1 base score of 5.4 (Medium) (NVD, Wordfence).

The vulnerability is classified as an Incorrect Authorization issue (CWE-863) and stems from insufficient login restrictions on inactive and pending accounts. The CVSS v3.1 vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N indicates that this is a network-accessible vulnerability with low attack complexity, requiring low privileges and no user interaction (NVD).

The vulnerability allows authenticated attackers with Candidate- and Employer-level access and above to log into the site even when their accounts are marked as inactive or pending. This bypass of intended access restrictions could lead to unauthorized access to sensitive information and potential system compromise (NVD).

Website administrators running the WP JobHunt plugin should upgrade to a version newer than 7.6 when available. In the meantime, it is recommended to carefully monitor and manage user account statuses, particularly those marked as inactive or pending (NVD).