A high-severity vulnerability exists within the WP JobHunt plugin and JobCareer theme for WordPress, allowing unauthorized users to modify data. This flaw stems from a missing security check, which could permit an attacker with even a low-level account to alter information, such as job application statuses, potentially disrupting hiring processes and compromising data integrity.

The vulnerability is a Broken Access Control issue caused by a missing capability check on the cs_update_application_status_callback AJAX function. This function is responsible for updating the status of job applications. Because the function fails to verify if the user making the request has the appropriate permissions, any authenticated user, regardless of their role (e.g., a subscriber), can send a crafted request to this function and arbitrarily change the status of any job application within the system.

This vulnerability is classified as High severity with a CVSS score of 7.6. Exploitation could have a significant negative impact on business operations, particularly those related to recruitment and human resources. Successful exploitation could lead to a loss of data integrity, as an attacker could illicitly approve, reject, or modify job applications. This could cause operational disruption, reputational damage if the flaw becomes public, and potential loss of qualified candidates due to a compromised and unreliable hiring platform.

Immediate Action:

• Immediately update the WP JobHunt plugin and/or the JobCareer theme to the latest version provided by the vendor, which addresses this vulnerability.
• If the plugin or theme is no longer required for business operations, it should be deactivated and completely removed from the WordPress installation to eliminate the attack surface.

Proactive Monitoring:

• Review web server and WordPress audit logs for suspicious POST requests to /wp-admin/admin-ajax.php containing the action cs_update_application_status_callback, especially if originating from low-privileged user accounts.
• Monitor job application data for any unusual or unauthorized status changes that do not correspond with legitimate actions by HR personnel.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with a custom rule to block any requests attempting to call the cs_update_application_status_callback action from non-administrative users.
• Enforce the principle of least privilege for all WordPress user accounts. Disable public user registration if it is not essential for the site's functionality.

Public Exploit Available: false

Given the high severity score and the direct impact on data integrity and business operations, immediate remediation is strongly recommended. Organizations using the affected WordPress plugin or theme should prioritize applying the vendor-supplied security patches without delay. While this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its ease of exploitation makes it a critical risk that must be addressed to prevent potential disruption and data compromise.