The vulnerability identified as CVE-2025-12010 affects the Authors List plugin developed by wpkube for WordPress, present in all versions up to and including 2.0.6.1. The flaw resides in the Authors_List_Shortcode class, which allows authenticated users with Contributor-level permissions or higher to invoke arbitrary methods such as get_meta via specially crafted shortcode attributes. This method call enables attackers to extract sensitive user data stored within WordPress, including password hashes, email addresses, usernames, and activation keys. The vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. The CVSS v3.1 base score is 6.5, reflecting a medium severity with a network attack vector, low attack complexity, and requiring privileges at the Contributor level but no user interaction. The flaw compromises confidentiality but does not affect integrity or availability. No patches are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability's exploitation could facilitate further attacks such as credential cracking or targeted phishing campaigns by exposing critical user data. The plugin is widely used in WordPress environments, making this a relevant threat to many websites that rely on it for author listing functionality.

The primary impact of CVE-2025-12010 is the unauthorized disclosure of sensitive user information, including password hashes and activation keys, which can lead to credential compromise and unauthorized account access. This exposure undermines user privacy and can facilitate further attacks such as privilege escalation, impersonation, or targeted phishing. While the vulnerability does not directly affect system integrity or availability, the confidentiality breach can have severe consequences for organizations, including reputational damage, regulatory non-compliance (e.g., GDPR), and potential financial losses. Websites using the vulnerable Authors List plugin that allow Contributor-level access to untrusted users are particularly at risk. Given the widespread use of WordPress globally, this vulnerability could affect a large number of sites, especially those with multiple authors or contributors. The absence of known exploits in the wild currently limits immediate widespread impact, but the ease of exploitation and sensitive nature of the data exposed make it a significant threat if weaponized.

To mitigate CVE-2025-12010, organizations should first verify if they are using the Authors List plugin version 2.0.6.1 or earlier and upgrade to a patched version once available. In the absence of an official patch, administrators should restrict Contributor-level access to trusted users only and audit user roles to minimize exposure. Implementing strict shortcode attribute filtering or disabling shortcode execution for untrusted users can reduce the attack surface. Additionally, monitoring logs for unusual shortcode usage patterns may help detect exploitation attempts. Employing Web Application Firewalls (WAFs) with custom rules to block suspicious shortcode parameters can provide temporary protection. Regularly updating WordPress core and all plugins, enforcing strong password policies, and enabling multi-factor authentication for user accounts will further reduce risk. Finally, organizations should review and limit the amount of sensitive data accessible via plugin methods and consider alternative plugins with better security track records if immediate patching is not feasible.