The WP Discourse plugin integrates WordPress with Discourse forums by synchronizing comments and posts. Versions up to and including 2.5.9 contain a vulnerability (CVE-2025-11983) classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The root cause is that during comment synchronization, the plugin sends Discourse API credentials—specifically the Api-Key and Api-Username headers—unconditionally to any host specified in the discourse_permalink custom field of a post. This means that an authenticated user with author-level or higher privileges can craft or modify posts to include attacker-controlled hosts in this field, causing the plugin to leak sensitive API credentials to those hosts. With these credentials, attackers can query internal Discourse services, potentially gaining unauthorized access or performing further attacks within the internal network. The vulnerability requires authentication at author-level or above but does not require user interaction beyond that. The CVSS 3.1 base score is 4.3 (medium), reflecting the limited scope of privilege required and the impact confined to confidentiality without integrity or availability impact. No patches or exploits are currently publicly available, but the risk of credential exfiltration and subsequent internal service compromise is significant for affected deployments.

The primary impact is the unauthorized disclosure of sensitive Discourse API credentials, which can lead to unauthorized access to internal Discourse services. This can enable attackers to read internal data, manipulate forum content, or pivot to other internal systems, increasing the risk of broader compromise. Organizations relying on WP Discourse for forum integration may face data confidentiality breaches, reputational damage, and potential compliance violations if sensitive user or organizational data is exposed. Since the vulnerability requires author-level authentication, the risk is higher in environments where many users have elevated privileges or where account compromise is easier. The lack of integrity or availability impact limits direct service disruption, but the credential leakage can facilitate further attacks with more severe consequences.

Organizations should immediately review user privileges and restrict author-level access to trusted users only. Implement strict input validation and sanitization for the discourse_permalink custom field to prevent injection of attacker-controlled hosts. Monitor network traffic for unusual outbound connections to unknown hosts from WordPress servers. If possible, disable or remove the WP Discourse plugin until a patched version is released. Employ network segmentation to limit WordPress server access to internal Discourse services. Rotate Discourse API credentials regularly and immediately after suspected exposure. Implement logging and alerting on API key usage to detect anomalous activity. Engage with the plugin vendor or community to obtain or develop patches addressing the unconditional sending of API credentials.