CVE-2025-13496 identifies a missing authorization vulnerability (CWE-862) in the Moosend Landing Pages plugin for WordPress, affecting all versions up to and including 1.1.6. The vulnerability arises because the moosend_landings_auth_get function does not perform a capability check before allowing modification of the 'moosend_landing_api_key' option. This omission permits any authenticated user with Subscriber-level access or higher to delete this critical API key, which is used for integration with Moosend's marketing automation services. The attack vector is remote network-based (AV:N), requires low attack complexity (AC:L), and no privileges (PR:N) or user interaction (UI:N) beyond being logged in as a Subscriber or above. The impact is limited to integrity (I:L) with no direct confidentiality or availability effects. Deleting the API key could disrupt marketing automation processes, causing operational issues for organizations relying on Moosend services. Although no exploits are currently known in the wild, the vulnerability represents a risk to organizations using this plugin, especially those with multiple users having Subscriber or higher roles. The vulnerability was published on January 7, 2026, and no patches are currently linked, indicating that mitigation may require manual intervention or plugin updates once available.

For European organizations, this vulnerability could lead to unauthorized deletion of the Moosend API key, disrupting marketing automation workflows and potentially causing loss of marketing data synchronization. While it does not directly expose sensitive data or cause system downtime, the integrity compromise can lead to operational inefficiencies and loss of business continuity in marketing campaigns. Organizations with multiple users assigned Subscriber or higher roles are at increased risk, as any such user could exploit this flaw. This is particularly impactful for companies heavily reliant on Moosend for customer engagement and lead generation. The disruption could also affect customer experience and revenue generation. Additionally, the lack of proper authorization checks may indicate broader security weaknesses in the plugin, warranting a thorough security review. The medium severity suggests that while the threat is not critical, it should be addressed promptly to avoid potential exploitation.

1. Immediately restrict Subscriber-level user permissions to only trusted individuals until a patch is available. 2. Monitor and audit user activities related to the Moosend plugin settings to detect unauthorized changes. 3. Implement a Web Application Firewall (WAF) rule to detect and block suspicious requests targeting the moosend_landings_auth_get function. 4. Regularly back up WordPress configuration and plugin settings, including the 'moosend_landing_api_key', to enable quick restoration if deletion occurs. 5. Contact the plugin vendor for updates or patches and apply them as soon as they are released. 6. Consider temporarily disabling the Moosend Landing Pages plugin if the risk outweighs the operational need until a secure version is available. 7. Educate users with Subscriber or higher roles on the risks and enforce strict access control policies. 8. Review and harden WordPress user role assignments to minimize unnecessary privileges.