The vulnerability identified as CVE-2025-13493 affects the 'Latest Registered Users' WordPress plugin developed by webrndexperts, specifically versions up to and including 1.4. The root cause is a missing authorization check and nonce validation in the rnd_handle_form_submit function, which is hooked to both admin_post_my_simple_form and admin_post_nopriv_my_simple_form WordPress actions. This flaw allows unauthenticated attackers to invoke this function remotely by manipulating the 'action' parameter in HTTP requests, triggering an export of the complete user list in CSV format. The exported data excludes passwords and sensitive tokens but may include usernames, email addresses, registration dates, and other profile information. Because the vulnerability does not require authentication or user interaction, it can be exploited by any remote attacker scanning for vulnerable sites. The lack of nonce validation means that standard WordPress anti-CSRF protections are bypassed. Although no public exploits or patches have been reported at the time of publication, the vulnerability poses a significant risk of data leakage and privacy violations. The CVSS 3.1 base score of 7.5 reflects a high severity due to the network attack vector, no privileges required, no user interaction, and high confidentiality impact. The vulnerability is classified under CWE-862 (Missing Authorization), indicating a failure to properly restrict access to sensitive functionality. This issue is particularly critical for websites that manage large user databases or handle sensitive user information. The absence of patches necessitates immediate mitigation steps to prevent exploitation.

For European organizations, this vulnerability can lead to unauthorized disclosure of user data, potentially violating GDPR and other data protection regulations. Exposure of personally identifiable information (PII) such as names, email addresses, and registration details can result in privacy breaches, reputational damage, and regulatory fines. Organizations operating customer-facing WordPress sites using this plugin are at risk of data leakage without any authentication barrier, increasing the likelihood of automated scanning and mass data harvesting by attackers. The impact is amplified in sectors like e-commerce, education, and public services where user data sensitivity is high. Additionally, leaked user data can be leveraged for targeted phishing campaigns or social engineering attacks. The lack of known exploits in the wild does not diminish the urgency, as the vulnerability is straightforward to exploit. European entities must consider the compliance implications and the potential for cross-border data breaches, which could trigger investigations by data protection authorities.

Immediate mitigation should focus on restricting access to the vulnerable export functionality. This can be achieved by disabling the 'Latest Registered Users' plugin if it is not essential or by implementing web application firewall (WAF) rules to block requests containing the 'action' parameter values associated with the vulnerability. Site administrators should audit user export functionalities and ensure proper authorization and nonce validation are enforced. Monitoring web server logs for unusual or repeated access to admin_post_my_simple_form and admin_post_nopriv_my_simple_form endpoints can help detect exploitation attempts. Until an official patch is released, consider applying custom code fixes that add nonce verification and authorization checks in the rnd_handle_form_submit function. Regularly update WordPress core and plugins to the latest versions and subscribe to vendor advisories for patch releases. Conduct user data access reviews and ensure minimal data exposure in exports. Finally, inform users and stakeholders about the potential risk and prepare incident response plans in case of data leakage.