CVE-2025-6585 Overview
CVE-2025-6585 is an Insecure Direct Object Reference (IDOR) vulnerability in the WP JobHunt plugin for WordPress. The flaw affects all versions up to and including 7.2 and resides in the cs_remove_profile_callback() function. The function fails to validate a user-controlled key before performing account deletion operations. Authenticated attackers with Subscriber-level access or higher can exploit this weakness to delete arbitrary user accounts, including those belonging to administrators. The vulnerability is categorized under CWE-20: Improper Input Validation.
Critical Impact
Authenticated attackers with minimal privileges can delete administrator accounts, leading to integrity loss and full denial of service on affected WordPress sites.
Affected Products
- WP JobHunt plugin for WordPress, all versions through 7.2
- WordPress sites running the JobCareer Job Board theme bundle
- Subscriber-level and higher authenticated user contexts on affected installations
Discovery Timeline
- 2025-07-22 - CVE-2025-6585 published to the National Vulnerability Database (NVD)
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-6585
Vulnerability Analysis
The vulnerability resides in the cs_remove_profile_callback() function exposed through the WP JobHunt plugin. The function accepts a user-supplied identifier and performs an account deletion routine without verifying whether the requesting user owns the targeted account. Because authorization checks are absent, the function treats any authenticated request as legitimate regardless of the role boundary between the requester and the target. An attacker authenticating as a Subscriber, which is the lowest-privilege WordPress role accepting registrations, can issue an AJAX request that supplies an arbitrary target user identifier. The plugin then removes the corresponding account from the WordPress database, deleting associated metadata.
Root Cause
The root cause is missing validation on a user-controlled key passed to cs_remove_profile_callback(). The function does not verify that the supplied identifier matches the authenticated session user. It also omits role-based capability checks such as current_user_can() and skips nonce-bound ownership verification. This pattern matches the classic Insecure Direct Object Reference weakness mapped to CWE-20.
Attack Vector
An attacker first registers or signs in as a Subscriber on a vulnerable WordPress site. The attacker then sends an authenticated AJAX request to the cs_remove_profile_callback endpoint with a manipulated user identifier referencing an administrator account. The server processes the request without authorization checks and deletes the targeted user record. The result is loss of administrative access, site takeover risk during the recovery window, and data integrity damage. Refer to the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-6585
Indicators of Compromise
- Unexpected deletion of administrator or editor accounts in the WordPress wp_users table
- AJAX POST requests to admin-ajax.php with action=cs_remove_profile_callback originating from low-privilege sessions
- Audit log entries showing user removal events initiated by Subscriber-level accounts
- New Subscriber registrations followed shortly by privileged account deletions
Detection Strategies
- Review web server access logs for requests targeting cs_remove_profile_callback paired with non-administrative authentication cookies
- Compare current WordPress user counts against historical baselines to identify unauthorized deletions
- Inspect database backups for missing user_id values previously associated with administrator roles
- Correlate plugin AJAX activity with the role of the calling user to flag privilege boundary violations
Monitoring Recommendations
- Enable WordPress activity logging plugins that record user deletion events with actor identity
- Forward WordPress audit logs to a centralized SIEM for retention and correlation
- Alert on any user deletion event executed by a non-administrator account
- Monitor admin-ajax.php traffic volume and parameter patterns for anomalous AJAX action invocations
How to Mitigate CVE-2025-6585
Immediate Actions Required
- Disable the WP JobHunt plugin on any site running version 7.2 or earlier until a vendor patch is applied
- Restrict new user registrations or temporarily set default role to a custom limited role pending remediation
- Audit the WordPress user table and restore any deleted privileged accounts from recent backups
- Rotate administrator credentials and review session tokens for unauthorized activity
Patch Information
No fixed version is listed in the NVD record at the time of publication. Site operators should monitor the ThemeForest Item Overview and the Wordfence Vulnerability Report for the official vendor advisory and apply the security update once available.
Workarounds
- Place the affected endpoint behind a web application firewall rule that blocks cs_remove_profile_callback requests from non-administrator sessions
- Remove or restrict access to the WP JobHunt plugin directory using server-level access controls until patched
- Enforce administrator account protection by requiring strong multi-factor authentication on every privileged role
- Implement scheduled WordPress database backups so deleted accounts can be recovered quickly
# Example WAF rule pattern blocking the vulnerable AJAX action for non-admin users
# (adapt to your WAF syntax; this is illustrative)
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
"chain,deny,status:403,id:1006585,msg:'Block WP JobHunt cs_remove_profile_callback IDOR'"
SecRule ARGS:action "@streq cs_remove_profile_callback"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

