CVE-2025-0969 identifies a vulnerability classified under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) in the Brizy – Page Builder plugin for WordPress, affecting all versions up to and including 2.7.16. The flaw resides in the get_users() function, which improperly exposes sensitive user data to authenticated users with Contributor-level permissions or higher. Specifically, this vulnerability allows such users to retrieve email addresses and hashed passwords of administrators, which are typically protected. The attack vector requires network access and authenticated privileges but no user interaction, making exploitation feasible in environments where Contributor roles are assigned. The vulnerability impacts confidentiality by leaking sensitive information but does not affect data integrity or system availability. The CVSS 3.1 base score is 6.5, reflecting medium severity, with an attack vector of network, low attack complexity, and privileges required. No public exploits have been reported yet, but the risk remains significant due to the nature of the exposed data. The vulnerability is particularly concerning for multi-user WordPress installations where contributors are trusted with content creation but should not access sensitive administrative data. The lack of available patches at the time of publication necessitates interim mitigations. The vulnerability was reserved early in 2025 and published in December 2025, indicating recent discovery and disclosure.

For European organizations, this vulnerability poses a risk of sensitive data leakage from WordPress sites using the Brizy – Page Builder plugin. Exposure of administrator email addresses and hashed passwords can facilitate targeted phishing, credential stuffing, or privilege escalation attacks, potentially leading to broader compromise of web infrastructure. Organizations relying on WordPress for corporate websites, intranets, or customer portals may face reputational damage, regulatory scrutiny under GDPR due to personal data exposure, and operational disruptions if attackers leverage leaked credentials. The medium severity indicates that while the vulnerability does not directly enable system takeover, it significantly lowers the barrier for further attacks. Given the widespread use of WordPress in Europe and the popularity of page builder plugins, the threat surface is substantial. Additionally, the requirement for authenticated access means insider threats or compromised contributor accounts can be leveraged to exploit this vulnerability. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks.

European organizations should implement the following specific mitigations: 1) Immediately audit and restrict Contributor-level and higher user accounts to only trusted personnel, minimizing the number of users with such privileges. 2) Monitor user activity logs for unusual access patterns to user data or attempts to enumerate users via the get_users() function. 3) Apply principle of least privilege by reviewing and tightening WordPress role capabilities, potentially disabling or limiting access to user enumeration functions for non-administrative roles. 4) Temporarily disable or replace the Brizy – Page Builder plugin if feasible until a security patch is released by the vendor. 5) Implement multi-factor authentication (MFA) for all WordPress accounts to reduce risk from compromised credentials. 6) Keep WordPress core and all plugins updated, and subscribe to vendor security advisories for timely patch deployment. 7) Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious API calls or user enumeration attempts. 8) Educate content contributors about phishing and social engineering risks to prevent account compromise. These targeted actions go beyond generic advice by focusing on access control, monitoring, and proactive plugin management.