CVE-2025-13660 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the Guest Support plugin developed by rcatheme for WordPress. The flaw exists in versions up to and including 1.2.3, where a public AJAX endpoint (guest_support_handler=ajax) is exposed without any authentication or capability checks. This endpoint accepts a request parameter get_users that allows an attacker to enumerate user accounts and retrieve their associated email addresses. Because the endpoint is publicly accessible, any unauthenticated attacker can exploit this to harvest user emails from affected WordPress sites. The vulnerability does not impact the integrity or availability of the system but compromises confidentiality by leaking sensitive user information. The CVSS v3.1 base score is 5.3, indicating a medium severity level due to the ease of exploitation (network vector, no privileges required, no user interaction) but limited impact scope (only email disclosure). No patches or fixes are currently available, and no known exploits have been reported in the wild. This vulnerability could facilitate phishing campaigns or social engineering attacks by providing attackers with valid user email addresses. Organizations using the Guest Support plugin should monitor for updates and consider interim mitigations to restrict access to the vulnerable endpoint.

The primary impact of CVE-2025-13660 is the unauthorized disclosure of user email addresses, which compromises user privacy and confidentiality. For European organizations, this can lead to increased risk of phishing attacks, spear-phishing campaigns, and social engineering targeting employees or customers. While the vulnerability does not allow direct system compromise or data manipulation, the leaked emails can serve as a foothold for further attacks, including credential stuffing or targeted malware delivery. Organizations handling sensitive or regulated data (e.g., GDPR-protected personal data) may face compliance risks and reputational damage if user information is exposed. The impact is particularly relevant for organizations with public-facing WordPress sites using the vulnerable plugin, especially those with large user bases. Although no integrity or availability impact exists, the breach of confidentiality alone can have significant operational and legal consequences in Europe due to strict data protection regulations.

1. Monitor the rcatheme Guest Support plugin repository and official channels for security patches addressing CVE-2025-13660 and apply updates immediately upon release. 2. Until a patch is available, implement web application firewall (WAF) rules to block or restrict access to the guest_support_handler=ajax endpoint, especially requests containing the get_users parameter. 3. Restrict access to the AJAX endpoint by IP whitelisting or requiring authentication to prevent unauthenticated enumeration. 4. Conduct regular audits of WordPress plugins and remove or replace plugins that are no longer maintained or have known vulnerabilities. 5. Educate users and administrators about phishing risks and implement email filtering and anti-phishing technologies to mitigate the impact of leaked email addresses. 6. Review and enforce least privilege principles for WordPress user roles to limit exposure of sensitive data. 7. Monitor logs for unusual access patterns to the vulnerable endpoint to detect potential exploitation attempts early.