CVE-2025-13493 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Latest Registered Users WordPress plugin developed by webrndexperts. The issue exists in all versions up to and including 1.4 due to the absence of proper authorization checks and nonce validation within the rnd_handle_form_submit function. This function is triggered by two WordPress actions: admin_post_my_simple_form and admin_post_nopriv_my_simple_form, which handle form submissions for both authenticated and unauthenticated users. Because of this, an unauthenticated attacker can craft a request specifying the 'action' parameter to invoke this function and export the complete list of registered users in CSV format. The exported data excludes passwords and sensitive tokens but may include other personally identifiable information such as usernames, email addresses, and registration dates. The vulnerability has a CVSS v3.1 base score of 7.5, reflecting its high severity due to network attack vector, no required privileges, no user interaction, and high impact on confidentiality. The vulnerability does not affect integrity or availability. No patches or fixes have been linked yet, and no known exploits have been reported in the wild, but the risk of data leakage is significant given the plugin’s usage in WordPress environments.

The primary impact of CVE-2025-13493 is unauthorized disclosure of user data from websites using the Latest Registered Users plugin. This can lead to privacy violations, exposure of personally identifiable information (PII), and potential compliance issues with data protection regulations such as GDPR or CCPA. Attackers could leverage the leaked user information for targeted phishing campaigns, social engineering, or further attacks against users or the organization. Since the vulnerability does not require authentication or user interaction, it can be exploited remotely and at scale, increasing the risk for websites with large user bases. Although passwords and sensitive tokens are not exposed, the leakage of other user details still represents a significant breach of confidentiality. Organizations relying on this plugin may suffer reputational damage and legal consequences if the vulnerability is exploited. The absence of known exploits in the wild suggests that immediate exploitation is not widespread, but the vulnerability’s simplicity and impact warrant urgent attention.

Organizations should immediately verify if they are using the Latest Registered Users plugin version 1.4 or earlier and plan to update to a patched version once available. In the absence of an official patch, administrators should consider disabling or uninstalling the plugin to prevent exploitation. As a temporary workaround, restricting access to the admin_post_my_simple_form and admin_post_nopriv_my_simple_form actions via web application firewall (WAF) rules or server-level access controls can help block unauthorized requests exploiting this vulnerability. Implementing strict IP whitelisting or authentication requirements for accessing these endpoints is recommended. Monitoring web server logs for suspicious requests containing the 'action' parameter related to this plugin can help detect attempted exploitation. Additionally, website owners should review user data exposure policies and ensure minimal data is stored or displayed publicly. Finally, maintaining regular backups and having an incident response plan ready will help mitigate potential damage if exploitation occurs.