CVE-2025-13029 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Knowband Mobile App Builder WordPress plugin prior to version 3.0.0. The flaw exists in the REST API endpoint that handles user deletion requests. Due to the absence of proper authorization checks, an unauthenticated attacker can send crafted HTTP requests to this endpoint and delete arbitrary user accounts on the affected WordPress site. This vulnerability does not require any authentication or user interaction, making it remotely exploitable over the internet. The CVSS v3.1 base score is 7.5, reflecting high severity primarily due to the ease of exploitation and the impact on integrity. The vulnerability affects the integrity of user data by allowing unauthorized deletion of user accounts, which can disrupt site operations, cause loss of user data, and potentially enable further attacks such as privilege escalation or denial of service through account removal. No confidentiality or availability impact is directly indicated. The vulnerability was reserved on 2025-11-11 and published on 2025-12-31. No patches or known exploits are currently reported, but the risk remains significant given the plugin's usage in WordPress environments, especially those supporting mobile app creation and e-commerce functionalities.

For European organizations, this vulnerability can lead to unauthorized deletion of user accounts, which may disrupt business operations, especially for e-commerce and customer-facing platforms relying on the Knowband Mobile App Builder plugin. Loss of user accounts can result in operational downtime, customer dissatisfaction, and potential loss of revenue. Additionally, attackers could delete administrative accounts, leading to loss of control over the website and enabling further malicious activities. The integrity of user data is compromised, and recovery may require significant administrative effort. Given the widespread use of WordPress in Europe, particularly in countries with strong e-commerce sectors such as Germany, the UK, France, and the Netherlands, the impact could be substantial. Organizations handling sensitive customer data or providing critical services via WordPress should consider this vulnerability a high risk to their operational security.

1. Immediately restrict access to the WordPress REST API endpoints related to user management by implementing IP whitelisting or authentication proxies to prevent unauthenticated requests. 2. Monitor logs for unusual user deletion activities and set up alerts for any REST API calls that delete users. 3. Disable or limit the Knowband Mobile App Builder plugin if it is not essential until a patched version is released. 4. Once available, promptly update the plugin to version 3.0.0 or later, which addresses the missing authorization issue. 5. Employ Web Application Firewalls (WAFs) with rules to detect and block unauthorized REST API requests targeting user deletion endpoints. 6. Conduct regular security audits and penetration testing focusing on REST API endpoints to identify and remediate similar authorization issues. 7. Educate site administrators about the risks of unauthorized user deletions and encourage strong administrative account protections, including multi-factor authentication.