CVE-2025-13741 is a vulnerability classified under CWE-862 (Missing Authorization) found in the WordPress plugin 'Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories.' The issue arises from the absence of a proper capability check in the getAuthors function, which is responsible for retrieving author-related data. This missing authorization allows any authenticated user with at least Contributor-level privileges to access email addresses of all users who have the edit_posts capability, which typically includes Editors and Administrators. The vulnerability affects all plugin versions up to and including 4.9.2. Exploitation requires authentication but no further user interaction, and it can be performed remotely via network access to the WordPress site. The CVSS v3.1 base score is 4.3, reflecting a medium severity level due to the limited scope of impact—only confidentiality is affected, with no impact on integrity or availability. No public exploits have been reported, but the exposure of email addresses can facilitate targeted phishing, social engineering, or further attacks against privileged users. The vulnerability underscores the importance of enforcing strict authorization checks on sensitive functions within WordPress plugins, especially those managing user data and content scheduling.

The primary impact of CVE-2025-13741 is the unauthorized disclosure of email addresses belonging to users with elevated privileges (edit_posts capability) on WordPress sites using the affected PublishPress plugin. This breach of confidentiality can enable attackers to conduct targeted phishing campaigns, spear-phishing, or social engineering attacks against site administrators and editors, potentially leading to further compromise. Although the vulnerability does not allow direct modification or deletion of content, the exposure of sensitive user information undermines trust and may violate privacy regulations such as GDPR. Organizations relying on this plugin risk reputational damage and increased attack surface for subsequent intrusions. The medium severity rating reflects that exploitation requires authenticated access at Contributor level or higher, limiting the attacker base but still posing a significant risk in environments with multiple contributors or where contributor accounts may be compromised.

To mitigate CVE-2025-13741, organizations should immediately update the 'Schedule Post Changes With PublishPress Future' plugin to a patched version once released by the vendor. In the absence of an official patch, administrators can implement the following measures: 1) Restrict Contributor-level user creation and monitor existing accounts for suspicious activity to reduce the risk of unauthorized exploitation. 2) Apply custom code or hooks to enforce capability checks on the getAuthors function, ensuring only authorized roles can access sensitive user data. 3) Limit access to the WordPress admin area via IP whitelisting or VPN to reduce exposure. 4) Monitor logs for unusual access patterns or attempts to enumerate user data. 5) Educate users about phishing risks, as exposed emails may be targeted. 6) Regularly audit installed plugins for security updates and remove unnecessary plugins to minimize attack surface. These targeted mitigations go beyond generic advice by focusing on access control hardening and proactive monitoring specific to this vulnerability.