The vulnerability identified as CVE-2025-14464 affects the kiwicommerce PDF Resume Parser plugin for WordPress, specifically all versions up to and including 1.0. The root cause is the plugin's registration of an AJAX action handler that is accessible without authentication, which inadvertently exposes SMTP configuration data, including usernames and passwords. This exposure constitutes a CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) vulnerability. Because the AJAX endpoint is publicly accessible, an attacker can send crafted requests to retrieve SMTP credentials stored in the WordPress configuration. These credentials are critical as they enable access to email accounts, which are often gateways to broader network access or sensitive communications. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting medium severity, primarily due to the lack of impact on integrity or availability but significant confidentiality loss. Exploitation requires no privileges or user interaction, increasing the risk. No patches or updates are currently listed, and no known exploits have been observed in the wild. However, the potential for credential theft and subsequent lateral movement or phishing attacks makes this a notable threat. The vulnerability highlights the importance of secure plugin development practices, including proper access control on AJAX handlers and safeguarding sensitive configuration data.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of SMTP credentials, which can lead to email account compromise. Email accounts often serve as critical communication channels and recovery mechanisms for other services; thus, their compromise can cascade into broader security incidents, including data breaches, business email compromise (BEC), and unauthorized access to internal systems. Organizations using the affected plugin on WordPress sites that handle recruitment, HR, or e-commerce functions may face reputational damage and operational disruption if attackers leverage stolen credentials. The medium CVSS score reflects limited direct impact on system integrity or availability but significant confidentiality concerns. The ease of exploitation (no authentication or user interaction needed) increases the likelihood of automated scanning and exploitation attempts, especially in environments with exposed WordPress installations. European entities with strict data protection regulations (e.g., GDPR) may also face compliance risks if sensitive personal data is indirectly exposed through compromised email accounts.

1. Immediately restrict access to the vulnerable AJAX action handler by implementing authentication checks or IP whitelisting to prevent unauthenticated access. 2. Remove or sanitize any code that exposes SMTP credentials or other sensitive configuration data via publicly accessible endpoints. 3. Rotate all SMTP credentials that may have been exposed to prevent unauthorized access using compromised credentials. 4. Monitor email accounts for suspicious activity, including unauthorized login attempts or unusual email sending patterns. 5. Apply the latest plugin updates once available from the vendor or consider disabling the PDF Resume Parser plugin until a secure version is released. 6. Conduct a thorough audit of all WordPress plugins and configurations to identify and remediate similar exposure risks. 7. Employ web application firewalls (WAFs) to detect and block suspicious AJAX requests targeting the vulnerable endpoint. 8. Educate administrators on the risks of exposing sensitive configuration data and enforce secure coding practices for plugin development.