CVE-2025-13493
Published: 07 January 2026
Summary
CVE-2025-13493 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring an access control policy ensures authorization checks are defined and applied for critical functions.
Reviews of access controls detect missing authorization checks on critical functions or resources.
Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.
Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.
The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.
Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization on public admin_post endpoints in WordPress plugin directly enables remote unauthenticated exploitation of a public-facing web application to access/export sensitive data.
NVD Description
The Latest Registered Users plugin for WordPress is vulnerable to unauthorized user data export in all versions up to, and including, 1.4. This is due to missing authorization and nonce validation in the rnd_handle_form_submit function hooked to both admin_post_my_simple_form and…
more
admin_post_nopriv_my_simple_form actions. This makes it possible for unauthenticated attackers to export complete user details (excluding passwords and sensitive tokens) in CSV format via the 'action' parameter.
Deeper analysisAI
CVE-2025-13493 is a vulnerability in the Latest Registered Users plugin for WordPress, affecting all versions up to and including 1.4. It stems from missing authorization checks and nonce validation in the rnd_handle_form_submit function, which is hooked to the admin_post_my_simple_form and admin_post_nopriv_my_simple_form actions. This flaw, classified under CWE-862 (Missing Authorization), has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability disruption.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction by sending a crafted request with the 'action' parameter to the affected admin post endpoints. Successful exploitation allows export of complete user details—excluding passwords and sensitive tokens—in CSV format, potentially exposing personal data such as usernames, emails, and registration details across the site.
Advisories, including the Wordfence threat intelligence report and WordPress plugin trac browser links, reference specific vulnerable code lines (e.g., lines 246 and 66 in latest-registered-users.php), enabling security teams to verify the issue and apply fixes from updated plugin versions beyond 1.4.
Details
- CWE(s)