The vulnerability identified as CVE-2025-12010 affects the Authors List plugin for WordPress, specifically all versions up to and including 2.0.6.1. The issue is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. The root cause is an arbitrary method call vulnerability within the Authors_List_Shortcode class, which processes shortcode attributes. Authenticated users with Contributor-level permissions or higher can exploit this flaw by crafting shortcode attributes that invoke internal methods such as get_meta. This method can retrieve sensitive user metadata including password hashes, email addresses, usernames, and activation keys. Since Contributors and above are typically allowed to create or edit content, they can embed these malicious shortcodes in posts or pages, triggering the data leak when the shortcode is rendered. The vulnerability does not require user interaction beyond the attacker’s own authenticated session and does not affect availability or integrity, but it severely compromises confidentiality. The CVSS v3.1 score is 6.5 (medium severity) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network exploitability with low attack complexity, requiring privileges but no user interaction, and resulting in high confidentiality impact. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly.

For European organizations, this vulnerability poses a significant risk to the confidentiality of user data stored in WordPress sites using the Authors List plugin. Exposure of password hashes and activation keys could facilitate credential stuffing, account takeover, or privilege escalation attacks. Email addresses and usernames leakage can aid phishing campaigns and social engineering attacks targeting employees or customers. Since Contributors and higher roles are common in content management workflows, insider threats or compromised contributor accounts could be leveraged to exploit this vulnerability. The impact is particularly critical for organizations handling sensitive personal data under GDPR, as data breaches could lead to regulatory fines and reputational damage. Additionally, websites serving as customer portals, intranets, or community platforms are at higher risk. The vulnerability does not affect system availability or integrity directly but can be a stepping stone for further attacks.

European organizations should immediately audit their WordPress installations to identify if the Authors List plugin is installed and determine its version. Until an official patch is released, restrict Contributor and higher roles from adding or editing shortcodes or disable the Authors List plugin if feasible. Implement strict role-based access controls and monitor contributor activities for suspicious shortcode usage. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious shortcode attributes targeting the Authors_List_Shortcode class. Regularly update WordPress core and plugins, and subscribe to vendor advisories for patch releases. Conduct security awareness training for content editors about the risks of shortcode misuse. Consider scanning site content for unauthorized shortcodes and remove them. Finally, review user metadata access permissions and harden the WordPress environment by disabling unnecessary plugin features.