CVE-2025-13741 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the WordPress plugin 'Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories' in all versions up to and including 4.9.2. The root cause is the absence of a proper capability check in the getAuthors function, which is responsible for retrieving author-related data. This flaw allows any authenticated user with at least Contributor-level privileges to access email addresses of all users who have the edit_posts capability, which typically includes Editors and Administrators. The vulnerability is exploitable remotely without user interaction, as it requires only authenticated access to the WordPress backend. The CVSS v3.1 base score is 4.3, reflecting a medium severity due to the limited scope of impact (confidentiality only) and the requirement for authenticated access. No integrity or availability impacts are noted. No patches or known exploits have been reported at the time of publication, but the exposure of email addresses can facilitate targeted phishing or social engineering attacks. The vulnerability affects a widely used WordPress plugin, which is popular among content management teams for scheduling and managing post statuses and categories.

For European organizations, the primary impact of this vulnerability is the unauthorized disclosure of email addresses of privileged users, which can lead to increased risk of spear-phishing, social engineering, and targeted attacks against key personnel such as editors and administrators. While the vulnerability does not allow direct modification or deletion of content, the exposure of sensitive user data undermines confidentiality and can be leveraged as a stepping stone for further attacks. Organizations relying on WordPress with the affected PublishPress plugin, especially those with Contributor-level users, are at risk. This can be particularly concerning for media companies, publishing houses, and other content-driven enterprises prevalent in Europe. The breach of user privacy may also have regulatory implications under GDPR, as email addresses are personal data. The lack of known exploits reduces immediate risk but does not eliminate the threat of future exploitation.

1. Immediately update the 'Schedule Post Changes With PublishPress Future' plugin to a patched version once available. 2. Until a patch is released, restrict Contributor-level and above access to trusted users only, minimizing the number of users who can exploit this flaw. 3. Implement strict role-based access controls (RBAC) and audit user permissions regularly to ensure minimal necessary privileges. 4. Monitor WordPress logs for unusual access patterns or attempts to enumerate user data. 5. Consider temporarily disabling the plugin if it is not critical to operations. 6. Educate users, especially those with elevated privileges, about phishing risks and encourage vigilance. 7. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable function. 8. Conduct regular security assessments and penetration tests focusing on WordPress plugins and user privilege escalation vectors.