CVE-2025-12778 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Ultimate Member Widgets for Elementor – WordPress User Directory plugin, which is widely used to display user directories on WordPress sites. The root cause is the absence of a capability check in the handle_filter_users function, which is responsible for filtering user data. This missing authorization allows unauthenticated attackers to invoke this function remotely and retrieve partial metadata of all registered WordPress users, specifically their first names, last names, and email addresses. The vulnerability affects all versions up to and including 2.3 of the plugin. Since the attack vector is network-based and requires no privileges or user interaction, it can be exploited by any remote attacker scanning for vulnerable sites. The impact is limited to confidentiality as no modification or denial of service is possible. No patches were linked at the time of disclosure, and no known exploits have been reported in the wild. The CVSS 3.1 base score is 5.3, reflecting medium severity due to the ease of exploitation but limited data exposure. This vulnerability is significant for organizations relying on this plugin for user management and directory display, as it exposes personal user information that could be leveraged for phishing or social engineering attacks.

For European organizations, the primary impact is the unauthorized disclosure of personal user information, including first and last names and email addresses. This exposure can lead to privacy violations under GDPR and other data protection regulations, potentially resulting in legal penalties and reputational damage. Attackers could use the leaked data to craft targeted phishing campaigns or attempt credential stuffing attacks. While the vulnerability does not allow modification or disruption of services, the confidentiality breach alone is significant, especially for organizations handling sensitive user data or operating in regulated sectors such as finance, healthcare, or government. The ease of exploitation increases the risk of widespread data harvesting from vulnerable WordPress sites across Europe. Organizations with public-facing WordPress sites using the affected plugin are particularly vulnerable to automated scanning and data extraction attempts.

Immediate mitigation steps include restricting access to the user directory endpoints by implementing IP whitelisting or authentication requirements at the web server or application firewall level. Organizations should monitor web server logs for unusual or repeated access to the handle_filter_users function or related endpoints to detect potential exploitation attempts. Since no official patch was available at disclosure, administrators should follow the plugin vendor’s updates closely and apply patches promptly once released. In the interim, disabling or removing the Ultimate Member Widgets for Elementor – WordPress User Directory plugin can eliminate the attack surface. Employing web application firewalls (WAFs) with custom rules to block unauthorized requests targeting this vulnerability can provide additional protection. Regular audits of installed WordPress plugins and their versions should be conducted to identify and remediate vulnerable components. Finally, educating site administrators about the risks of unauthorized data exposure and enforcing the principle of least privilege in plugin usage can reduce future risks.