CVE-2025-13973 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the StickEasy Protected Contact Form plugin for WordPress, versions up to and including 1.0.2. The plugin generates spam detection logs that are stored in a fixed, publicly accessible path within the WordPress uploads directory (wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt). Because this location is predictable and lacks access controls, any unauthenticated attacker can retrieve this log file directly via HTTP requests. The logs contain sensitive data such as visitor IP addresses, email addresses, and snippets of comments submitted through the contact form that were flagged as spam. This exposure compromises user privacy and could facilitate further targeted attacks or social engineering. The vulnerability has a CVSS 3.1 base score of 5.3, indicating medium severity, with an attack vector of network (remote), no privileges required, no user interaction needed, and limited impact confined to confidentiality loss. There are no known exploits in the wild at this time, and no official patches have been released yet. The issue stems from improper access control on sensitive log files and predictable file storage paths within the plugin's design.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive user information submitted via the contact form, including IP addresses and email addresses. This can lead to privacy violations, regulatory non-compliance (especially under GDPR, CCPA, and similar data protection laws), and reputational damage for affected organizations. Attackers could use the exposed data for targeted phishing, spam campaigns, or to map out potential victims for further exploitation. Although the vulnerability does not affect system integrity or availability, the confidentiality breach alone can have significant consequences, especially for organizations handling sensitive or personal data. Since the vulnerability requires no authentication and no user interaction, it can be exploited easily by remote attackers scanning for vulnerable sites. Organizations relying on this plugin for customer interactions or lead generation are at risk of data leakage until mitigations or patches are applied.

To mitigate this vulnerability, organizations should immediately implement access controls to prevent public access to the spam detection log file. This can be done by configuring web server rules (e.g., .htaccess for Apache, location blocks for Nginx) to deny access to the wp-content/uploads/stickeasy-protected-contact-form directory or specifically to spcf-log.txt. Alternatively, file system permissions should be adjusted to restrict read access to authorized users only. Administrators should monitor their web server logs for any unauthorized attempts to access this file. It is also advisable to remove or archive existing log files containing sensitive data and ensure that future logs are stored securely or encrypted. Organizations should track updates from the plugin vendor and apply patches promptly once released. As a longer-term measure, consider using alternative contact form plugins with better security practices and configurable logging options. Regular security audits and vulnerability scanning of WordPress plugins can help detect similar issues proactively.