CVE-2025-13660 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the Guest Support plugin developed by rcatheme for WordPress. The vulnerability exists in all versions up to and including 1.2.3. The root cause is the exposure of a public AJAX endpoint (guest_support_handler=ajax) that accepts a parameter (get_users) allowing unauthenticated users to query and retrieve email addresses of registered users on the WordPress site. This endpoint lacks any authentication or capability checks, meaning that any attacker can enumerate user accounts and harvest email addresses without needing to log in or interact with the user. The vulnerability has a CVSS v3.1 base score of 5.3, indicating a medium severity level, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, meaning it is remotely exploitable over the network with low attack complexity, requires no privileges or user interaction, and impacts confidentiality only. The exposure of user emails can lead to privacy violations, facilitate spear-phishing, spam campaigns, or social engineering attacks. Although no known exploits are currently reported in the wild and no patches have been released, the vulnerability poses a tangible risk to WordPress sites using this plugin. Organizations should monitor for updates from the vendor and consider interim mitigations such as restricting access to the AJAX endpoint or disabling the plugin if not essential.

For European organizations, the exposure of user email addresses can have several negative consequences. Firstly, it compromises user privacy and may violate the EU General Data Protection Regulation (GDPR), which mandates protection of personal data including email addresses. This could lead to regulatory fines and reputational damage. Secondly, disclosed emails can be used by attackers to conduct targeted phishing or social engineering attacks, increasing the risk of credential theft or malware infections. Thirdly, the enumeration of user accounts can provide attackers with intelligence for further attacks against the organization’s WordPress infrastructure or other connected systems. While the vulnerability does not allow direct modification or disruption of services, the confidentiality breach alone is significant. Organizations with customer-facing WordPress sites using the Guest Support plugin are particularly at risk. The impact is heightened for sectors with sensitive user data or critical services, such as finance, healthcare, and government. The lack of authentication requirement and ease of exploitation mean that attackers can quickly harvest large volumes of email addresses without detection.

1. Immediately audit WordPress sites to identify installations of the rcatheme Guest Support plugin, especially versions up to 1.2.3. 2. If possible, disable or uninstall the Guest Support plugin until a security patch is released by the vendor. 3. Restrict access to the vulnerable AJAX endpoint (guest_support_handler=ajax) by implementing web application firewall (WAF) rules that block unauthenticated requests containing the get_users parameter. 4. Use security plugins or custom code to enforce authentication and capability checks on AJAX endpoints to prevent unauthorized data exposure. 5. Monitor web server logs for suspicious requests targeting the AJAX endpoint to detect potential enumeration attempts. 6. Educate users and administrators about phishing risks stemming from leaked email addresses and implement email filtering and anti-phishing controls. 7. Stay updated with vendor announcements and apply official patches promptly once available. 8. Consider implementing rate limiting on AJAX endpoints to reduce the risk of automated enumeration. 9. Review and tighten WordPress user role permissions to minimize exposure of sensitive user data. 10. Conduct regular security assessments of WordPress plugins and themes to identify and remediate vulnerabilities proactively.