CVE Details
Basic Information
| Title | WP JobHunt <= 7.2 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Account Deletion |
|---|---|
| Type | cve |
| Published | 2025-07-22T04:25:08.363Z |
| Modified | 2025-07-22T04:25:08.363Z |
Product Information
| Vendor | n/a |
|---|---|
| Product | WP JobHunt |
| Version | * |
CVSS Information
| Base Score | 8.1 (HIGH) |
|---|---|
| Attack Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
AI Analysis
| AI Description | The WP JobHunt plugin (versions up to 7.2) has an Insecure Direct Object Reference vulnerability. This allows authenticated attackers with Subscriber access or higher to delete other users’ accounts, including admins, due to insufficient validation. |
|---|---|
| AI Severity | High |
| AI Vendor | WordPress Community |
| AI Product | WP JobHunt |
| AI Version | up to 7.2 |
Affected Products
- n/a WP JobHunt *
Additional Information
| CWE List | CWE-20 |
|---|---|
| Source | Wordfence |
Description
The WP JobHunt plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.2 via the cs_remove_profile_callback() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete accounts of other users including admins.