A high-severity vulnerability has been identified in the "Latest Registered Users" plugin for WordPress, designated as CVE-2025-13493. This flaw allows an unauthenticated attacker to export sensitive user data from an affected website without authorization. Successful exploitation could lead to a significant data breach, exposing user information and creating privacy and reputational risks for the organization.

The vulnerability exists due to a lack of proper access control on the data export functionality within the "Latest Registered Users" plugin. An unauthenticated attacker can send a specially crafted request to a specific endpoint exposed by the plugin. The plugin fails to verify if the user making the request has the necessary permissions, subsequently processing the request and returning sensitive data about the site's registered users, which may include usernames, email addresses, and registration dates.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could result in a significant data breach, leading to the unauthorized disclosure of Personally Identifiable Information (PII) of all users registered on the website. The business impact includes severe reputational damage, loss of customer trust, and potential financial penalties under data protection regulations such as GDPR or CCPA. The stolen data could also be leveraged by malicious actors to conduct targeted phishing campaigns, credential stuffing attacks, or spam against the user base.

Immediate Action:

• Identify all WordPress instances running the "Latest Registered Users" plugin.
• Update the plugin to the latest patched version provided by the developer immediately.
• If the plugin is not critical to business operations, the recommended course of action is to deactivate and completely remove it to eliminate this attack vector.

Proactive Monitoring:

• Review web server access logs for anomalous GET or POST requests to endpoints associated with the "Latest Registered Users" plugin.
• Monitor for unusual patterns of activity, such as multiple requests from a single IP address attempting to access plugin-specific URLs, which could indicate scanning or exploitation attempts.
• Monitor for unexpected outbound data transfers that could signify a successful data exfiltration event.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) rule to block access to the vulnerable endpoint or function within the plugin.
• Temporarily deactivate the plugin until a patch can be applied. This will remove the immediate threat but will also disable its functionality.
• Restrict access at the web server level to the plugin's specific files or directories if the vulnerable component can be isolated.

Public Exploit Available: false

Due to the high severity (CVSS 7.5) and the direct risk of a user data breach, immediate action is strongly recommended. Organizations must prioritize identifying and remediating this vulnerability on all public-facing WordPress sites. The primary recommendation is to update the "Latest Registered Users" plugin to a secure version without delay. Furthermore, security teams should perform an audit to determine if the plugin's functionality is essential; if not, it should be removed entirely to reduce the overall attack surface.