CVE-2025-0969 identifies a sensitive information exposure vulnerability in the Brizy – Page Builder plugin for WordPress, affecting all versions up to and including 2.7.16. The vulnerability arises from improper access control in the get_users() function, which allows authenticated users with Contributor-level permissions or higher to retrieve sensitive data about other users, including administrator email addresses and hashed passwords. Since Contributor-level users typically have limited capabilities, this escalation of information access represents a significant breach of the principle of least privilege. The vulnerability does not require user interaction and can be exploited remotely over the network, with low attack complexity, making it relatively easy for an attacker with valid credentials to leverage. The exposure of hashed passwords, while not immediately allowing password compromise, increases the risk of offline brute-force attacks and credential stuffing. The vulnerability does not impact data integrity or availability but severely compromises confidentiality. No patches or fixes are currently available, and no known exploits have been reported in the wild as of the publication date. The vulnerability is tracked under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) and has a CVSS v3.1 base score of 6.5, indicating a medium severity level. The flaw highlights the risks of insufficient access control in WordPress plugins that handle user data and the importance of restricting permissions and monitoring user roles.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive user data, particularly administrator credentials. Exposure of administrator email addresses and hashed passwords can facilitate targeted phishing, social engineering, and offline password cracking attempts, potentially leading to full account compromise. Organizations relying on Brizy – Page Builder for their WordPress sites may face reputational damage, regulatory penalties under GDPR for inadequate protection of personal data, and increased risk of further attacks leveraging compromised credentials. The vulnerability's exploitation requires only Contributor-level access, which may be granted to external contributors or less trusted users, increasing the attack surface. Since WordPress powers a substantial portion of European websites, including many small and medium enterprises, the potential impact is broad. The lack of a patch at the time of disclosure necessitates immediate compensating controls to prevent unauthorized data access. Additionally, the exposure of hashed passwords, depending on the hashing algorithm used, could lead to credential compromise if weak hashing is employed. Overall, the vulnerability undermines trust in affected websites and can serve as a foothold for more severe attacks.

European organizations should immediately audit and restrict Contributor-level access on WordPress sites using the Brizy – Page Builder plugin, limiting it to trusted users only. Implement strict user role management and regularly review user permissions to ensure minimal necessary access. Monitor logs for unusual access patterns or attempts to enumerate user data via the get_users() function. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting user enumeration endpoints. Encourage or enforce strong password policies and multi-factor authentication for all users, especially administrators, to mitigate risks from exposed hashed passwords. Backup site data regularly and maintain an incident response plan for potential data breaches. Stay informed about updates from the plugin vendor and apply patches promptly once released. If feasible, temporarily disable or replace the Brizy – Page Builder plugin until a secure version is available. Additionally, consider implementing rate limiting and anomaly detection to reduce the risk of automated exploitation attempts.