Primary

Context

WP JobHunt Plugin Insecure Direct Object Reference Vulnerability Allowing Arbitrary Account Deletion

Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the WP JobHunt plugin for WordPress, affecting all versions through 7.2. The issue arises in the cs_remove_profile_callback() function, where insufficient validation on a user-controlled key enables authenticated attackers with Subscriber-level access and above to delete accounts of other users, including administrators.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of user accounts, including those of administrators.

Remediation

No known patch is available. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.

Added: Jul 22, 2025, 5:21 AM

Updated: Jul 22, 2025, 5:21 AM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

5.0

remediation

0.0

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

5.0

remediation

0.0

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WP JobHunt Plugin Insecure Direct Object Reference Vulnerability Allowing Arbitrary Account Deletion

Vulnerability

Impact

Remediation

Affected Products

WP JobHunt

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating