CVE-2025-0969 is a vulnerability categorized under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) found in the Brizy – Page Builder plugin for WordPress, maintained by themefusecom. The flaw exists in all versions up to and including 2.7.16 and arises from improper access control in the get_users() function. This function, when invoked by authenticated users with Contributor-level permissions or higher, can be exploited to retrieve sensitive data such as email addresses and hashed passwords of site administrators. The vulnerability is remotely exploitable without user interaction, requiring only authenticated access with relatively low privileges. The CVSS v3.1 score is 6.5 (medium), reflecting high confidentiality impact but no impact on integrity or availability. The vulnerability does not require elevated privileges beyond Contributor, making it easier for attackers who have compromised or registered accounts with such access to escalate their knowledge of administrator credentials. Although no public exploits are known yet, the exposure of hashed passwords could facilitate offline cracking attempts, potentially leading to full administrator account compromise. The plugin is widely used in WordPress environments, which are common worldwide, increasing the scope of affected systems. The lack of an official patch link suggests that mitigation may currently rely on access control hardening or plugin updates once available.

The primary impact of CVE-2025-0969 is the unauthorized disclosure of sensitive administrator information, including email addresses and hashed passwords. This exposure can lead to several downstream risks: attackers may use the leaked email addresses for targeted phishing or social engineering campaigns; hashed passwords, if weakly hashed, could be cracked offline, enabling attackers to gain full administrator access; compromised administrator accounts can lead to complete site takeover, data manipulation, or further malware deployment. Since the vulnerability requires only Contributor-level access, it lowers the barrier for attackers who may have registered accounts or compromised lower-privileged users. The confidentiality breach undermines trust and could lead to regulatory compliance issues, especially in jurisdictions with strict data protection laws. Although integrity and availability are not directly affected, the potential for privilege escalation and subsequent attacks makes this vulnerability a significant threat to WordPress sites using the Brizy plugin.

1. Immediate mitigation involves restricting Contributor-level user capabilities to prevent exploitation until a patch is available. This can be done by customizing user roles to remove access to functions that invoke get_users() or by using security plugins to limit access. 2. Monitor and audit user accounts with Contributor or higher privileges to detect any suspicious activity or unauthorized access. 3. Encourage strong password policies and enforce multi-factor authentication (MFA) for all users with elevated privileges to reduce the risk of account compromise. 4. Regularly update the Brizy – Page Builder plugin as soon as the vendor releases a patch addressing this vulnerability. 5. Consider implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the get_users() function or related endpoints. 6. Educate site administrators and users about the risks of privilege escalation and the importance of limiting user roles to the minimum necessary. 7. Conduct regular security assessments and penetration testing to identify similar access control issues proactively.