Overview
CVE-2025-12778 is a medium severity vulnerability affecting the Ultimate Member Widgets for Elementor – WordPress User Directory plugin for WordPress. This vulnerability allows unauthenticated attackers to extract partial metadata of all WordPress users, including their first name, last name, and email addresses. This occurs due to a missing capability check on the handle_filter_users function in versions up to and including 2.3.
Technical Details
The vulnerability stems from the lack of proper access control within the handle_filter_users function. This function, intended to filter user data based on specific criteria, fails to verify if the user making the request has the necessary permissions. Consequently, an unauthenticated attacker can directly call this function, bypassing the intended security measures and gaining access to sensitive user information. The function is exposed and accessible without any authentication, leading to the data leak.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-12778 is 5.3 (Medium).
- Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Explanation: This score reflects the fact that the vulnerability can be exploited over the network (AV:N) with low attack complexity (AC:L) without requiring any privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U), and the confidentiality impact is low (C:L), as only limited user data is exposed. There is no integrity or availability impact (I:N, A:N).
Possible Impact
The exploitation of CVE-2025-12778 can have several negative consequences:
- Data Breach: Exposure of user email addresses, first names, and last names.
- Phishing Attacks: Collected email addresses can be used for targeted phishing campaigns.
- Reputational Damage: Loss of user trust due to the data breach.
- Spam Campaigns: Exposed email addresses can be added to spam lists.
Mitigation and Patch Steps
The recommended course of action is to update the Ultimate Member Widgets for Elementor – WordPress User Directory plugin to the latest version. The vulnerability has been patched in versions released after 2.3.
- Update the Plugin: Navigate to the “Plugins” section in your WordPress dashboard and update the “Ultimate Member Widgets for Elementor” plugin to the latest available version.
- Verify Update: After updating, verify that the plugin version is higher than 2.3 to ensure the patch is applied.
- Monitor for Suspicious Activity: Keep an eye on your server logs for any unusual access patterns or attempts to exploit the vulnerability.
