CVE-2025-12778 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Ultimate Member Widgets for Elementor – WordPress User Directory plugin. The root cause is the absence of a capability check in the handle_filter_users function, which is responsible for filtering user data. This missing authorization allows unauthenticated attackers to invoke this function and retrieve partial metadata of all WordPress users registered on the site. Specifically, attackers can access first names, last names, and email addresses without needing any privileges or user interaction. The vulnerability affects all versions up to and including 2.3 of the plugin. The plugin is widely used to display user directories in WordPress sites built with Elementor, a popular page builder. The CVSS 3.1 base score is 5.3, indicating a medium severity primarily due to the ease of remote exploitation (no authentication or user interaction required) but limited to confidentiality impact without affecting integrity or availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. However, the exposure of user metadata can facilitate phishing, spam, or targeted social engineering attacks. The vulnerability highlights the importance of enforcing proper authorization checks on all sensitive functions in WordPress plugins, especially those handling user data.

The primary impact of this vulnerability is the unauthorized disclosure of partial user metadata, including first names, last names, and email addresses. This information can be leveraged by attackers to conduct phishing campaigns, spam distribution, or social engineering attacks against users of the affected WordPress sites. While the vulnerability does not allow modification or deletion of data, the breach of confidentiality can damage user trust and violate privacy regulations such as GDPR or CCPA. Organizations relying on this plugin for user directories risk reputational harm and potential legal consequences if user data is exposed. Since the vulnerability requires no authentication and no user interaction, it can be exploited remotely and at scale, increasing the risk for high-traffic websites. The scope includes any WordPress site using the affected plugin versions, which can be substantial given the popularity of Elementor and its ecosystem. Although availability and integrity are not impacted, the confidentiality breach alone warrants prompt remediation to prevent downstream attacks.

1. Immediate mitigation involves updating the Ultimate Member Widgets for Elementor – WordPress User Directory plugin to a patched version once available. Since no patch links are currently provided, monitor the vendor’s official channels for updates. 2. In the interim, disable or remove the affected widget or plugin if feasible to prevent exploitation. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the handle_filter_users function or unusual user enumeration patterns. 4. Restrict access to user directory endpoints by IP whitelisting or requiring authentication where possible. 5. Review and harden WordPress user roles and capabilities to minimize exposure of user data. 6. Conduct regular audits of installed plugins and their permissions to ensure no missing authorization checks exist. 7. Educate site administrators about the risks of exposing user metadata and encourage prompt application of security updates. 8. Monitor logs for unusual access patterns or data scraping attempts related to user directories. These steps collectively reduce the risk of unauthorized data disclosure until an official patch is released.