The New User Approve plugin for WordPress, widely used to manage user approval workflows, contains a vulnerability identified as CVE-2025-12770. This vulnerability stems from insufficient validation of the API key parameter in the Zapier REST API endpoints. Specifically, the plugin uses a loose equality comparison (==) in PHP to validate the api_key parameter, which allows an attacker to bypass authentication by exploiting PHP's type juggling behavior. By setting the api_key parameter to the string "0", an unauthenticated attacker can trick the system into granting access to sensitive user data. This data includes personally identifiable information (PII) such as usernames and email addresses of users with various approval statuses. The vulnerability affects all versions up to and including 3.0.9 of the plugin. The flaw does not require any authentication or user interaction, making it remotely exploitable over the network with low complexity. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and has a CVSS v3.1 base score of 5.3, indicating a medium severity level. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The exposure of PII can lead to privacy violations, targeted phishing attacks, and reputational damage for affected organizations. The vulnerability is particularly concerning for sites that have not configured the Zapier API key, as this condition is necessary for exploitation.

For European organizations, the exposure of usernames and email addresses can lead to significant privacy and compliance risks, especially under GDPR regulations which mandate strict protection of personal data. Unauthorized disclosure of PII can result in regulatory penalties, loss of customer trust, and potential legal actions. Additionally, exposed user information can be leveraged by attackers for spear-phishing campaigns or social engineering attacks targeting employees or customers. Organizations relying on WordPress with the New User Approve plugin integrated with Zapier workflows are particularly vulnerable. The medium severity score reflects that while the vulnerability does not allow system compromise or data modification, the confidentiality breach alone is impactful. The ease of exploitation without authentication increases the likelihood of opportunistic attacks. Given the widespread use of WordPress in Europe and the popularity of SaaS integrations like Zapier, the potential attack surface is considerable. This vulnerability could affect sectors with high privacy requirements such as finance, healthcare, and government institutions.

European organizations should immediately verify if their WordPress installations use the New User Approve plugin, particularly versions up to 3.0.9. If the plugin is in use, they should disable or restrict access to the Zapier REST API endpoints until a patch or update is available. Organizations should configure the Zapier API key properly to prevent the api_key parameter from being unset or defaulting to "0". Implementing web application firewall (WAF) rules to block requests with suspicious api_key values or unusual query parameters can help mitigate exploitation attempts. Monitoring web server logs for anomalous requests targeting the api_key parameter is recommended to detect potential exploitation attempts. Organizations should also consider isolating or limiting the plugin’s API access to trusted IP addresses or internal networks. Regularly updating WordPress plugins and subscribing to security advisories from the plugin vendor or WordPress security teams will ensure timely application of patches once released. Finally, organizations should review their data exposure policies and ensure that only necessary user information is accessible via APIs.