CVE-2025-14464 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the kiwicommerce PDF Resume Parser plugin for WordPress. The vulnerability exists in all versions up to and including 1.0 due to the plugin registering an AJAX action handler that is accessible to unauthenticated users. This handler exposes SMTP configuration details, including sensitive credentials such as usernames and passwords, stored in the WordPress configuration. Because the AJAX endpoint does not require authentication or user interaction, an attacker can remotely exploit this flaw by sending crafted requests to the vulnerable WordPress site. The exposed SMTP credentials can be leveraged to compromise email accounts, which may lead to further unauthorized access to other systems if the same credentials are reused elsewhere. The CVSS v3.1 base score is 5.3, reflecting a medium severity with network attack vector, no privileges required, and no user interaction needed. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk due to the sensitive nature of the exposed information and the potential for subsequent attacks leveraging compromised email accounts. The lack of available patches at the time of publication increases the urgency for mitigation through configuration changes or plugin removal.

The primary impact of this vulnerability is the unauthorized disclosure of SMTP credentials, which compromises the confidentiality of sensitive information. Attackers gaining access to these credentials can hijack email accounts, enabling them to intercept, manipulate, or spoof email communications. This can lead to phishing campaigns, data exfiltration, or further network intrusion if credentials are reused for other services. The exposure does not directly affect system integrity or availability but can facilitate secondary attacks that do. Organizations relying on the affected plugin risk reputational damage, loss of customer trust, and potential regulatory penalties if sensitive communications are compromised. Since the vulnerability is remotely exploitable without authentication, the attack surface is broad, affecting any publicly accessible WordPress site running the vulnerable plugin. The medium CVSS score reflects moderate impact but high exploitability, making timely mitigation critical to prevent escalation.

1. Immediately restrict access to the vulnerable AJAX action handler by implementing authentication checks or IP-based access controls in the WordPress environment. 2. Disable or remove the kiwicommerce PDF Resume Parser plugin until a security patch or updated version is released by the vendor. 3. Review and rotate SMTP credentials exposed by the vulnerability to prevent unauthorized use. 4. Implement strong, unique passwords for SMTP accounts and avoid credential reuse across multiple systems. 5. Monitor email accounts for suspicious activity and enable multi-factor authentication (MFA) where supported. 6. Employ web application firewalls (WAFs) to detect and block unauthorized AJAX requests targeting the vulnerable endpoint. 7. Keep WordPress core, plugins, and themes updated regularly to reduce exposure to known vulnerabilities. 8. Conduct security audits and penetration testing focusing on plugin endpoints to identify similar exposure risks. 9. Educate site administrators about the risks of exposing sensitive configuration data and best practices for plugin management.