CVE-2025-13660 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the rcatheme Guest Support plugin for WordPress, specifically versions up to and including 1.2.3. The vulnerability stems from the plugin exposing a public AJAX endpoint (guest_support_handler=ajax) that accepts a get_users parameter. This endpoint lacks any authentication or capability checks, allowing any unauthenticated user to query and retrieve user email addresses from the WordPress site. The exposure of email addresses can facilitate targeted phishing campaigns, spam, or other social engineering attacks. The vulnerability does not affect the integrity or availability of the system, nor does it require user interaction or authentication, making it easier to exploit remotely. The CVSS 3.1 base score is 5.3, indicating a medium severity level primarily due to the confidentiality impact. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on November 25, 2025, and published on December 12, 2025. The plugin’s widespread use in WordPress sites, especially those relying on guest support features, increases the attack surface. The lack of authentication on the AJAX endpoint is a critical design flaw that should be addressed promptly to prevent unauthorized data disclosure.

The primary impact of CVE-2025-13660 is the unauthorized disclosure of user email addresses, which compromises the confidentiality of user data. While this does not directly affect system integrity or availability, the exposed email addresses can be leveraged by attackers to conduct phishing, spear-phishing, spam campaigns, or other social engineering attacks that may lead to further compromise. Organizations with large user bases or those in sectors where email confidentiality is critical (e.g., finance, healthcare, government) are at higher risk of reputational damage and potential regulatory penalties if user data is mishandled. The ease of exploitation (no authentication or user interaction required) increases the likelihood of automated scanning and mass enumeration of email addresses. Although no known exploits are currently in the wild, the vulnerability’s public disclosure may prompt attackers to develop exploitation tools. This could lead to increased targeted attacks against affected WordPress sites, especially those that have not implemented compensating controls or updated the plugin.

1. Immediately restrict access to the guest_support_handler=ajax endpoint by implementing authentication and capability checks at the web server or application level to ensure only authorized users can query user data. 2. Monitor web server logs for unusual or repeated access patterns to the AJAX endpoint, which may indicate enumeration attempts. 3. If possible, disable or remove the Guest Support plugin until a secure patched version is released. 4. Apply the official patch or update the plugin to a fixed version as soon as it becomes available from the vendor. 5. Implement rate limiting on AJAX endpoints to reduce the risk of automated enumeration attacks. 6. Educate users and administrators about phishing risks stemming from exposed email addresses and encourage vigilance. 7. Consider deploying Web Application Firewalls (WAFs) with custom rules to block unauthorized access to sensitive AJAX endpoints. 8. Review and audit other plugins and custom code for similar exposure of sensitive information via unauthenticated endpoints to prevent analogous vulnerabilities.