Overview
CVE-2025-12770 is a medium-severity vulnerability affecting the New User Approve plugin for WordPress, versions up to and including 3.0.9. This vulnerability allows unauthenticated attackers to retrieve sensitive user information, including usernames and email addresses, by exploiting a weakness in the Zapier REST API endpoint’s API key validation.
Technical Details
The vulnerability stems from insufficient API key validation within the rest-api.php file of the plugin’s Zapier integration. The code utilizes loose equality comparison (==) when checking the provided api_key parameter against the configured Zapier API key. This allows for PHP type juggling, where a string value of “0” can be considered equal to a numerical 0 or an empty string. As a result, if the Zapier API key has not been configured in the plugin’s settings, an attacker can send a request with api_key=0 and bypass authentication to access the Zapier REST API endpoints. These endpoints then expose Personally Identifiable Information (PII) related to users with different approval statuses.
Specifically, the following lines of code in rest-api.php are implicated:
CVSS Analysis
- Severity: MEDIUM
- CVSS Score: 5.3
- Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
This CVSS score indicates that the vulnerability is remotely exploitable (AV:N) with low attack complexity (AC:L). No privileges are required (PR:N) and no user interaction is needed (UI:N). The scope is unchanged (S:U), with a low impact on confidentiality (C:L), and no impact on integrity (I:N) or availability (A:N). While not critical, the ability to retrieve PII without authentication presents a significant security risk.
Possible Impact
Successful exploitation of this vulnerability can lead to:
- Data Breach: Unauthorized access to usernames and email addresses of WordPress users.
- Phishing Attacks: Stolen email addresses can be used for targeted phishing campaigns.
- Account Enumeration: Attackers can use the exposed usernames to attempt brute-force attacks or credential stuffing.
- Privacy Violation: Exposure of PII violates user privacy and can lead to compliance issues.
Mitigation or Patch Steps
The primary mitigation step is to update the New User Approve plugin to the latest version which includes a fix for this vulnerability. If an update is not yet available, consider these temporary workarounds:
- Disable the Zapier integration: If you are not actively using the Zapier integration, disable it within the plugin settings.
- Configure a strong API key: Ensure that a strong, unique API key is configured within the plugin’s Zapier settings. This will significantly reduce the likelihood of successful exploitation.
- Monitor access logs: Regularly review your web server access logs for suspicious activity related to the
/wp-json/new-user-approve/v1/zapier/endpoint.
