The vulnerability identified as CVE-2025-13973 affects the StickEasy Protected Contact Form plugin for WordPress, specifically all versions up to and including 1.0.2. This plugin is designed to protect contact forms from spam submissions. However, it stores spam detection logs in a file named spcf-log.txt located in the wp-content/uploads/stickeasy-protected-contact-form directory. This location is publicly accessible and predictable, meaning that an unauthenticated attacker can directly access and download this log file via a web browser or automated script without any authentication or user interaction. The log file contains sensitive information such as visitor IP addresses, email addresses, and snippets of comments submitted through the contact form that were flagged as spam. This exposure constitutes a CWE-200 vulnerability, which is an exposure of sensitive information to unauthorized actors. The CVSS 3.1 base score is 5.3, indicating a medium severity level, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, meaning the attack can be performed remotely without privileges or user interaction, and impacts confidentiality but not integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability primarily threatens privacy and confidentiality, potentially enabling attackers to harvest personal data for further malicious activities such as phishing or targeted attacks.

For European organizations, this vulnerability poses a significant privacy risk, especially under stringent data protection regulations such as the GDPR. Exposure of visitor IP addresses and email addresses can lead to unauthorized profiling, targeted phishing campaigns, and reputational damage. Organizations relying on the StickEasy Protected Contact Form plugin may inadvertently leak personal data of their customers or users, resulting in potential regulatory fines and loss of trust. Although the vulnerability does not affect system integrity or availability, the confidentiality breach alone can have serious consequences, particularly for sectors handling sensitive or personal information such as healthcare, finance, and government services. The ease of exploitation (no authentication or user interaction required) increases the likelihood of automated scanning and data harvesting by malicious actors. European organizations with public-facing WordPress sites using this plugin are at risk of data leakage, which could also be leveraged for subsequent attacks or social engineering campaigns.

Immediate mitigation steps include restricting access to the wp-content/uploads/stickeasy-protected-contact-form directory via web server configuration (e.g., using .htaccess rules or equivalent in Nginx) to prevent public access to spcf-log.txt. Organizations should monitor their web server logs for unauthorized access attempts to this path. If possible, disable or replace the StickEasy Protected Contact Form plugin with an alternative that does not expose sensitive logs publicly. Regularly audit WordPress plugins for security issues and ensure all plugins are kept up to date. Implement web application firewalls (WAFs) with rules to block access to known sensitive file paths. Once a patch or update is released by the vendor, apply it promptly. Additionally, organizations should review and minimize the amount of sensitive data logged by plugins and ensure logs are stored securely with proper access controls. Conduct privacy impact assessments to understand the scope of data exposure and notify affected users if required by law.