CVE-2025-13741 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the WordPress plugin 'Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories' in all versions up to and including 4.9.2. The root cause is a missing capability check in the getAuthors function, which is responsible for retrieving author information. This flaw allows any authenticated user with at least Contributor-level privileges to access email addresses of all users who have the edit_posts capability, which typically includes Editors and Administrators. The vulnerability is exploitable remotely without user interaction and requires only low privileges, making it easier to exploit within compromised or multi-user WordPress environments. The CVSS v3.1 score is 4.3 (medium severity), reflecting limited impact confined to confidentiality with no effect on integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The exposure of email addresses can facilitate targeted phishing, social engineering, or further attacks against privileged users. This vulnerability highlights the importance of proper authorization checks in WordPress plugins, especially those managing content publishing workflows.

For European organizations, the primary impact is the unauthorized disclosure of email addresses belonging to users with elevated privileges (edit_posts capability). This can lead to increased risk of spear-phishing campaigns, social engineering attacks, and potential lateral movement if attackers leverage exposed emails to gain further access. Organizations relying on WordPress for content management, especially media companies, educational institutions, and government agencies, may face reputational damage and privacy compliance issues under GDPR due to unauthorized exposure of personal data. Although the vulnerability does not directly compromise system integrity or availability, the indirect consequences of targeted attacks enabled by this data leak can be significant. The ease of exploitation by low-privileged users increases the risk in environments with multiple contributors or editors. Since no known exploits are currently in the wild, proactive mitigation is critical to prevent future abuse.

European organizations should immediately audit their WordPress installations for the presence of the affected PublishPress Future plugin and verify the version in use. Until an official patch is released, consider temporarily disabling or removing the plugin to eliminate the vulnerability. If disabling is not feasible, restrict Contributor-level user accounts and review user roles to minimize exposure. Implement strict access controls and monitor logs for unusual access patterns to the getAuthors function or related API endpoints. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting this plugin’s functions. Additionally, educate content contributors about phishing risks and enforce multi-factor authentication (MFA) for users with edit_posts capabilities to mitigate risks from potential phishing attacks. Regularly check for updates from the vendor and apply patches promptly once available. Finally, conduct periodic security assessments of WordPress plugins to identify similar authorization issues proactively.