← back
CVE-2025-7733

WP JobHunt <= 7.7 - Authenticated (Candidate+) Insecure Direct Object Reference

CVSS 4.3 MEDIUMEPSS 0.2%CWE-639
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 4.3EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
20 Dec 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'cs_update_application_status_callback' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Candidate-level access and above, to send a site-generated email with injected HTML to any user.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Affected products
n/a · WP JobHunt