CVE-2025-12681 identifies a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) in the WordPress plugin 'Comment Edit Core – Simple Comment Editing' developed by ronalfy. The flaw exists in the 'ajax_get_comment' function, which improperly handles access controls, allowing unauthenticated attackers to retrieve sensitive user data including user IDs, IP addresses, and email addresses. This vulnerability affects all versions up to and including 3.1.0 of the plugin. The attack vector is network-based with no authentication or user interaction required, making it relatively easy to exploit remotely. The CVSS 3.1 base score is 5.3 (medium), reflecting the limited impact on confidentiality only, with no effect on integrity or availability. The exposure of personally identifiable information (PII) can facilitate further attacks such as targeted phishing, social engineering, or user enumeration. No patches were available at the time of publication, and no known exploits have been observed in the wild. The vulnerability is particularly concerning for websites that rely on this plugin for comment editing functionality, as it undermines user privacy and trust. The technical root cause is insufficient access control enforcement on AJAX endpoints that expose comment-related data.

For European organizations, the exposure of user IDs, IP addresses, and email addresses can have significant privacy and regulatory implications, especially under GDPR requirements. Unauthorized disclosure of PII can lead to legal penalties, reputational damage, and loss of customer trust. Attackers could leverage the exposed data to conduct targeted phishing campaigns, credential stuffing, or social engineering attacks against users or administrators. Although the vulnerability does not allow direct system compromise or service disruption, the confidentiality breach alone is critical for organizations handling sensitive or personal data. Websites using the affected plugin may also face increased scrutiny from data protection authorities. The impact is heightened for sectors with sensitive user data such as finance, healthcare, and e-commerce. Additionally, the ease of exploitation means attackers can quickly gather large volumes of user information without detection.

Organizations should immediately audit their WordPress installations to identify if the 'Comment Edit Core – Simple Comment Editing' plugin is in use and determine the version. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate exposure. If disabling is not feasible, restricting access to the AJAX endpoints via web application firewall (WAF) rules or server-level access controls (e.g., IP whitelisting, authentication requirements) can reduce risk. Monitoring web server logs for unusual or repeated requests to 'ajax_get_comment' can help detect exploitation attempts. Implementing rate limiting on AJAX endpoints may also mitigate automated data harvesting. Once a vendor patch is available, prompt updating to the fixed version is essential. Additionally, organizations should review their privacy policies and notify affected users if data exposure is confirmed, in compliance with GDPR. Regular security assessments and plugin inventory management will help prevent similar risks.