The New User Approve plugin for WordPress, developed by saadiqbal, suffers from a vulnerability identified as CVE-2025-12770, categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). This vulnerability exists in all versions up to and including 3.0.9. The root cause is insufficient validation of the Zapier API key parameter in the plugin's REST API endpoints. Specifically, the plugin uses a loose equality comparison (==) in PHP to validate the api_key parameter. Due to PHP's type juggling behavior, an attacker can bypass authentication by setting the api_key parameter to the string "0", which loosely equals false or null in PHP. This allows unauthenticated attackers to access sensitive user data, including usernames and email addresses, for users with various approval statuses. The vulnerability only exposes confidentiality; it does not allow modification or deletion of data, nor does it affect system availability. Exploitation requires no authentication or user interaction and can be performed remotely over the network. The vulnerability is present only if the Zapier API key is not configured on the site, which may be common in some deployments. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the ease of exploitation and limited impact scope. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date (November 19, 2025).

For European organizations, this vulnerability poses a risk of unauthorized disclosure of personally identifiable information (PII) such as usernames and email addresses. Exposure of such data can lead to privacy violations under GDPR and other data protection regulations, potentially resulting in regulatory fines and reputational damage. Attackers could use the disclosed information for targeted phishing campaigns, social engineering, or further attacks against the organization. Although the vulnerability does not allow data modification or service disruption, the confidentiality breach alone is significant given the sensitivity of user data. Organizations running WordPress sites with the New User Approve plugin, especially those handling sensitive user information or operating in regulated sectors such as finance, healthcare, or government, are at higher risk. The lack of authentication requirement and remote exploitability increase the threat level, particularly for publicly accessible websites.

European organizations should immediately verify if they use the New User Approve WordPress plugin version 3.0.9 or earlier. If so, they should: 1) Disable the Zapier REST API integration if it is not required, especially if the Zapier API key is not configured. 2) Implement strict API key validation by modifying the plugin code to use strict comparison (===) instead of loose equality (==) for the api_key parameter to prevent type juggling attacks. 3) Monitor web server logs for suspicious requests with api_key parameters set to "0" or other anomalous values. 4) Restrict access to the REST API endpoints via web application firewall (WAF) rules or IP whitelisting where feasible. 5) Regularly update the plugin once an official patch or new version is released by the vendor. 6) Conduct privacy impact assessments and review data exposure risks related to this vulnerability. 7) Educate site administrators about secure plugin configuration and the risks of leaving API keys unconfigured.