CVE-2025-14464 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the kiwicommerce PDF Resume Parser plugin for WordPress. The issue arises because the plugin registers an AJAX action handler that is accessible without authentication, allowing any remote attacker to invoke it and retrieve SMTP configuration details stored in the WordPress environment. These details include sensitive credentials such as SMTP usernames and passwords, which are critical for email delivery services. Since SMTP credentials often have broad access, their exposure can lead to unauthorized email sending, interception of communications, or further compromise of systems where the same credentials are reused. The vulnerability affects all versions up to and including 1.0 of the plugin. The CVSS 3.1 base score is 5.3 (medium severity), reflecting the ease of exploitation (network accessible, no privileges or user interaction required) but limited impact to confidentiality only, with no direct impact on integrity or availability. No patches or fixes are currently listed, and no known exploits have been reported in the wild. The vulnerability's exploitation could facilitate phishing campaigns, spam distribution, or lateral movement within a network if attackers leverage the stolen credentials. The exposure is particularly concerning for organizations relying on WordPress for public-facing sites that use this plugin for resume parsing functionality, as it creates an unintended attack surface.

For European organizations, the exposure of SMTP credentials can have several serious consequences. Compromised email accounts can lead to unauthorized email sending, including phishing or spear-phishing attacks targeting internal users or external partners, potentially resulting in data breaches or financial fraud. Attackers gaining access to SMTP credentials may also intercept sensitive communications or use the credentials to pivot to other systems if password reuse occurs. This vulnerability undermines the confidentiality of email infrastructure and can damage organizational reputation if exploited. Additionally, organizations subject to GDPR and other data protection regulations may face compliance issues and penalties if sensitive information is leaked due to this vulnerability. The impact is heightened for sectors with critical communications needs such as finance, healthcare, government, and large enterprises. Since the vulnerability requires no authentication and is remotely exploitable, it increases the attack surface for threat actors targeting European entities using this plugin. The lack of known exploits in the wild reduces immediate risk but does not eliminate the potential for future attacks.

European organizations should take the following specific steps to mitigate this vulnerability: 1) Immediately audit WordPress installations to identify the presence of the kiwicommerce PDF Resume Parser plugin and confirm affected versions. 2) If possible, disable or remove the plugin until a patch or update is available. 3) Restrict access to the AJAX action handler by implementing authentication checks or IP whitelisting at the web server or application firewall level to prevent unauthenticated access. 4) Rotate all SMTP credentials exposed by the plugin to invalidate any potentially compromised credentials. 5) Monitor email logs and network traffic for unusual activity indicative of credential misuse or unauthorized email sending. 6) Implement multi-factor authentication (MFA) on email accounts where supported to reduce the impact of credential exposure. 7) Keep WordPress core and all plugins updated regularly and subscribe to vulnerability advisories for timely patching. 8) Consider deploying web application firewalls (WAFs) with custom rules to detect and block exploitation attempts targeting this AJAX endpoint. 9) Educate IT and security teams about this vulnerability to ensure rapid response if exploitation attempts are detected. These measures go beyond generic advice by focusing on access control to the vulnerable endpoint, credential hygiene, and active monitoring tailored to this specific exposure.