CVE-2025-13496 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Moosend Landing Pages plugin for WordPress, affecting all versions up to and including 1.1.6. The root cause is the absence of a proper capability check within the moosend_landings_auth_get function, which is responsible for authorizing access to certain plugin functionalities. This flaw allows any authenticated user with Subscriber-level privileges or higher to delete the 'moosend_landing_api_key' stored in the WordPress options table. The API key is critical for the plugin’s communication with Moosend’s marketing automation services. By deleting this key, an attacker can disrupt the plugin’s functionality, potentially halting email campaigns, landing page integrations, and other automated marketing processes. The vulnerability does not allow for direct data exfiltration or system compromise but undermines the integrity of the plugin’s configuration. Exploitation is straightforward since it requires only a low-level authenticated user and no additional user interaction. The CVSS v3.1 base score is 5.3, reflecting a medium severity due to the limited scope and impact. There are no known exploits in the wild at the time of publication, and no official patches have been linked yet. The vulnerability was reserved in November 2025 and published in January 2026 by Wordfence.

The primary impact of CVE-2025-13496 is the unauthorized deletion of the Moosend API key, which can disrupt marketing automation workflows dependent on the Moosend Landing Pages plugin. Organizations relying on this plugin for email campaigns, lead generation, or customer engagement may experience service interruptions, loss of marketing data synchronization, and degraded user experience. Although the vulnerability does not directly compromise data confidentiality or availability of the WordPress site, it undermines the integrity of the plugin’s configuration and can cause operational disruptions. Attackers with Subscriber-level access, which is commonly granted to registered users or contributors, can exploit this flaw without elevated privileges, increasing the risk in environments with many authenticated users. This could lead to increased support costs, loss of marketing effectiveness, and potential reputational damage if campaigns fail unexpectedly. Since the vulnerability does not enable privilege escalation or remote code execution, the broader system risk remains limited, but the targeted impact on marketing operations can be significant for affected organizations.

To mitigate CVE-2025-13496, organizations should first verify if they are using the Moosend Landing Pages plugin version 1.1.6 or earlier. If so, immediate steps include restricting Subscriber-level user capabilities to prevent unauthorized access to plugin functions. This can be done by customizing WordPress roles and capabilities to limit access to the moosend_landings_auth_get function or related plugin endpoints. Administrators should monitor and audit user accounts to ensure that only trusted users have Subscriber or higher roles. Until an official patch is released, consider temporarily disabling the plugin if it is not critical or replacing it with alternative solutions that enforce proper authorization. Additionally, implement web application firewalls (WAFs) with rules to detect and block unauthorized API key deletion attempts. Regularly back up WordPress configuration and plugin settings to enable quick restoration if the API key is deleted. Finally, stay updated with vendor advisories and apply patches promptly once available.