CVE-2025-13496 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Moosend Landing Pages plugin for WordPress, affecting all versions up to and including 1.1.6. The root cause is the absence of a proper capability check in the moosend_landings_auth_get function, which is responsible for authorizing access to certain plugin functionalities. This flaw allows any authenticated user with Subscriber-level permissions or higher to delete the 'moosend_landing_api_key' stored in the WordPress options table. The API key is critical for the plugin’s integration with Moosend’s marketing automation services. By deleting this key, an attacker can disrupt the plugin’s ability to communicate with Moosend, effectively breaking marketing workflows or causing denial of service to those features. The vulnerability does not expose confidential data nor does it allow remote unauthenticated access, as it requires at least Subscriber-level authentication. The CVSS v3.1 score of 5.3 reflects a medium severity, with the vector indicating network attack vector, low attack complexity, no privileges required beyond Subscriber, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and no availability impact. No public exploits have been reported to date, and no patches are currently linked, suggesting that mitigation may require manual updates or vendor intervention. The vulnerability was reserved in November 2025 and published in January 2026 by Wordfence.

For European organizations, the primary impact of this vulnerability is the potential disruption of marketing automation workflows relying on the Moosend Landing Pages plugin. Unauthorized deletion of the API key compromises the integrity of the plugin’s configuration, potentially causing loss of functionality in lead capture, email marketing, and customer engagement processes. While this does not directly expose sensitive data or cause system downtime, the interruption of marketing operations can lead to financial losses, reduced customer engagement, and reputational damage. Organizations with multiple users having Subscriber-level access or higher are at increased risk, as internal threat actors or compromised accounts could exploit this vulnerability. Since the attack requires authenticated access, the risk is mitigated somewhat by strong access controls, but the medium severity rating indicates that the threat should not be ignored. The lack of known exploits in the wild reduces immediate risk but does not eliminate the need for proactive mitigation. The impact is more pronounced for organizations heavily dependent on Moosend’s services integrated via this plugin, especially in sectors like e-commerce, digital marketing agencies, and media companies prevalent in Europe.

To mitigate CVE-2025-13496, European organizations should first verify if they are using the Moosend Landing Pages plugin on their WordPress sites and identify the plugin version. Since no official patch links are currently available, organizations should monitor the vendor’s announcements for updates or patches. In the interim, restrict Subscriber-level and higher user permissions to trusted personnel only, minimizing the risk of unauthorized API key deletion. Implement role-based access controls (RBAC) and audit user activities related to plugin settings. Consider temporarily disabling the plugin if it is not critical or replacing it with alternative solutions that have proper authorization checks. Regularly back up WordPress configuration and database to enable quick restoration of the API key if deleted. Employ WordPress security plugins that can monitor and alert on changes to critical options or plugin configurations. Additionally, enforce strong authentication mechanisms such as multi-factor authentication (MFA) for all users with access to the WordPress admin area to reduce the risk of account compromise. Finally, conduct security awareness training for users with elevated permissions to recognize and prevent misuse.