CVE-2025-4302 is a vulnerability identified in the Stop User Enumeration WordPress plugin, specifically in versions prior to 1.7.3. The plugin is designed to prevent unauthorized users from enumerating WordPress users via the REST API endpoint /wp-json/wp/v2/users/. Normally, the plugin blocks such requests to protect user information from being exposed to unauthenticated or unauthorized parties. However, the vulnerability arises because the plugin's blocking mechanism can be bypassed by URL-encoding the API path. This means that an attacker can encode the REST API endpoint URL (e.g., encoding slashes or other characters) to circumvent the plugin's access controls and retrieve user data that should be protected. The vulnerability is classified under CWE-203, which relates to observable discrepancies that can lead to information disclosure. Although no known exploits are currently reported in the wild, the flaw allows unauthorized enumeration of user accounts, potentially exposing usernames and other user-related metadata. This information can be leveraged by attackers for further attacks such as brute force login attempts, phishing, or social engineering. The vulnerability affects all versions of the Stop User Enumeration plugin before 1.7.3, and no official patch links have been provided yet. The plugin is commonly used in WordPress environments to enhance security by limiting user enumeration, so this bypass undermines its core protective function.

For European organizations using WordPress with the Stop User Enumeration plugin, this vulnerability poses a significant risk to user data confidentiality. Unauthorized user enumeration can expose usernames and potentially other user metadata, which can be exploited to facilitate targeted attacks such as credential stuffing, brute force login attempts, or spear phishing campaigns. Organizations in sectors with high regulatory requirements for data protection, such as finance, healthcare, and government, may face compliance risks if user information is exposed. Additionally, the reputational damage from a successful attack leveraging this vulnerability could be substantial. Since WordPress is widely used across Europe for websites ranging from small businesses to large enterprises, the scope of impact is broad. The vulnerability does not directly compromise system integrity or availability but serves as an enabler for more severe attacks. The lack of a patch at the time of disclosure increases the window of exposure, emphasizing the need for immediate mitigation. Given the ease of bypass via simple URL encoding, exploitation does not require advanced skills or authentication, increasing the likelihood of opportunistic attacks.

European organizations should take immediate steps to mitigate this vulnerability. First, monitor for updates from the Stop User Enumeration plugin developers and apply version 1.7.3 or later as soon as it becomes available. Until a patch is released, organizations can implement web application firewall (WAF) rules to detect and block URL-encoded requests targeting the /wp-json/wp/v2/users/ endpoint. Custom rules should normalize URLs before inspection to prevent bypass via encoding. Additionally, restricting REST API access to authenticated users only, where feasible, can reduce exposure. Organizations should also audit their WordPress installations to identify if the vulnerable plugin is in use and assess the exposure of user enumeration endpoints. Employing rate limiting on REST API requests can further reduce the risk of automated enumeration attempts. Finally, educating administrators about this vulnerability and encouraging regular plugin updates and security best practices will help maintain a robust security posture.