CVE-2025-7374: 
WordPress vulnerability analysis and mitigation

The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to authorization bypass in versions up to and including 7.6. The vulnerability was discovered and disclosed on October 10, 2025, and has been assigned CVE-2025-7374. The issue affects WordPress installations using the JobCareer theme with the WP JobHunt plugin (NVD, Wordfence).

The vulnerability stems from insufficient login restrictions on inactive and pending accounts. This authorization bypass vulnerability allows authenticated attackers with Candidate- and Employer-level access and above to log in to the site even if their account is inactive or pending. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, indicating network accessibility with low attack complexity (NVD).

The vulnerability allows authenticated users to bypass account status restrictions, potentially gaining unauthorized access to the website even when their accounts are marked as inactive or pending. This could lead to unauthorized access to sensitive information and potential misuse of platform features (NVD).