The New User Approve plugin for WordPress, developed by saadiqbal, suffers from a vulnerability identified as CVE-2025-12770, categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). This vulnerability affects all versions up to and including 3.0.9. The root cause is insufficient validation of the API key parameter in the Zapier REST API endpoints, specifically due to the use of loose equality comparison (==) in PHP. This allows an attacker to exploit PHP's type juggling behavior by setting the api_key parameter to the string "0", which loosely equals false or null in PHP, bypassing the intended API key check. Consequently, unauthenticated attackers can retrieve personally identifiable information (PII) such as usernames and email addresses of users with various approval statuses. The vulnerability is present only if the Zapier API key has not been configured on the affected WordPress site. The CVSS v3.1 base score is 5.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to confidentiality. There are no known exploits in the wild at the time of publication. The vulnerability was reserved on November 5, 2025, and published on November 19, 2025. No official patches or updates have been linked yet, so mitigation relies on configuration changes or plugin updates when available.

This vulnerability allows unauthorized disclosure of sensitive user information, specifically usernames and email addresses, which can be leveraged for targeted phishing, social engineering, or further attacks against the affected organization or its users. While it does not directly impact system integrity or availability, the exposure of PII can lead to reputational damage, regulatory compliance violations (such as GDPR or CCPA), and potential legal consequences. Organizations using the New User Approve plugin on WordPress sites that integrate with Zapier and have not configured the Zapier API key are at risk. The ease of exploitation (no authentication or user interaction required) increases the likelihood of automated scanning and data harvesting by attackers. Although no exploits are currently known in the wild, the vulnerability's public disclosure may prompt attackers to develop exploit tools. The impact is primarily on confidentiality, affecting user privacy and trust.

1. Immediately verify if the Zapier API key is configured in the New User Approve plugin settings; if not, configure a strong, unique API key to prevent unauthorized access. 2. Monitor for updates or patches from the plugin vendor (saadiqbal) and apply them promptly once available. 3. If patching is not immediately possible, consider disabling the Zapier integration or the New User Approve plugin temporarily to eliminate the attack surface. 4. Implement web application firewall (WAF) rules to detect and block requests with suspicious api_key parameters, especially those set to "0" or other values exploiting PHP type juggling. 5. Conduct regular audits of user data access logs to detect unusual API requests or data retrieval patterns. 6. Educate site administrators about the risks of loose equality comparisons and the importance of strict validation in API keys and authentication mechanisms. 7. Review and harden other plugins or custom code for similar PHP type juggling vulnerabilities. 8. Employ network-level monitoring to detect anomalous traffic targeting the Zapier REST API endpoints.