{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11983", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-20T18:28:48.760Z", "datePublished": "2025-11-01T05:40:23.063Z", "dateUpdated": "2026-04-08T16:58:56.374Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:56.374Z"}, "affected": [{"vendor": "scossar", "product": "WP Discourse", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.5.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Discourse plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.5.9. This is due to the plugin unconditionally sending Discourse API credentials (Api-Key and Api-Username headers) to any host specified in a post's discourse_permalink custom field during comment synchronization. This makes it possible for authenticated attackers, with author-level access and above, to exfiltrate sensitive Discourse API credentials to attacker-controlled servers, as well as query internal services and potentially perform further attacks."}], "title": "WP Discourse <= 2.5.9 - Authenticated (Author+) Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6b1524f3-1c59-49a1-bbe3-94dcfd232b1d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-discourse/tags/2.5.9/lib/discourse-comment.php#L211"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-discourse/tags/2.5.9/lib/discourse-comment.php#L218"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-discourse/tags/2.5.9/lib/plugin-utilities.php#L486"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3384149%40wp-discourse&new=3384149%40wp-discourse&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-10-31T16:59:07.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-03T13:10:41.041675Z", "id": "CVE-2025-11983", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-03T13:31:15.868Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11983", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-03T13:10:41.041675Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-03T13:10:41.800Z"}}], "cna": {"title": "WP Discourse <= 2.5.9 - Authenticated (Author+) Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "scossar", "product": "WP Discourse", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.5.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-31T16:59:07.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6b1524f3-1c59-49a1-bbe3-94dcfd232b1d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-discourse/tags/2.5.9/lib/discourse-comment.php#L211"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-discourse/tags/2.5.9/lib/discourse-comment.php#L218"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-discourse/tags/2.5.9/lib/plugin-utilities.php#L486"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3384149%40wp-discourse&new=3384149%40wp-discourse&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The WP Discourse plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.5.9. This is due to the plugin unconditionally sending Discourse API credentials (Api-Key and Api-Username headers) to any host specified in a post's discourse_permalink custom field during comment synchronization. This makes it possible for authenticated attackers, with author-level access and above, to exfiltrate sensitive Discourse API credentials to attacker-controlled servers, as well as query internal services and potentially perform further attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:56.374Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11983", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:58:56.374Z", "dateReserved": "2025-10-20T18:28:48.760Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-01T05:40:23.063Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Discourse plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.5.9. This is due to the plugin unconditionally sending Discourse API credentials (Api-Key and Api-Username headers) to any host specified in a post's discourse_permalink custom field during comment synchronization. This makes it possible for authenticated attackers, with author-level access and above, to exfiltrate sensitive Discourse API credentials to attacker-controlled servers, as well as query internal services and potentially perform further attacks."}], "id": "CVE-2025-11983", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-01T06:15:39.970", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-discourse/tags/2.5.9/lib/discourse-comment.php#L211"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-discourse/tags/2.5.9/lib/discourse-comment.php#L218"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-discourse/tags/2.5.9/lib/plugin-utilities.php#L486"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3384149%40wp-discourse&new=3384149%40wp-discourse&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6b1524f3-1c59-49a1-bbe3-94dcfd232b1d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T12:04:56.129987+00:00", "value": {"mitigation_remediation": ["Upgrade the WP Discourse plugin to the latest version (any release newer than 2.5.9 that removes the unconditional credential transmission behavior.", "Remove or sanitize the discourse_permalink custom field from existing posts to eliminate the possibility of sending credentials to arbitrary hosts.", "Restrict outbound traffic from the WordPress server to approved Discourse endpoints using firewall or proxy rules, preventing unauthorized credential exfiltration."], "summary": {"action": "Assess Impact", "impact": "Information Exposure"}, "threat_synthesis": {"affected_systems": "The affected system is any WordPress instance that runs the WP Discourse plugin version 2.5.9 or earlier supplied by the scossar vendor. This encompasses all installations of the plugin, regardless of the underlying WordPress version, with no other plugins implicated by the current CNA data.", "description_and_impact": "The WP Discourse plugin has a flaw that causes it to transmit Discourse API credentials unconditionally to any host listed in a post\u2019s discourse_permalink custom field when synchronizing comments. Authenticated users with author\u2011level access can exploit this to send the secret Api\u2011Key and Api\u2011Username headers to attacker\u2011controlled servers. By exposing these credentials, an attacker gains the ability to authenticate with the Discourse forum, read or modify content, and possibly query internal services, representing a clear confidentiality and integrity violation.", "risk_and_exploitability": "The CVSS score of 4.3 marks this as a medium\u2011level information\u2011disclosure weakness that requires authenticated access. The EPSS score of less than 1% indicates that exploitation is unlikely at present, and the vulnerability is not listed in CISA\u2019s KEV catalog. Nevertheless, the flaw allows an attacker to exfiltrate API credentials to arbitrary hosts and use those credentials for further internal attacks, which could provide full control over the associated Discourse forum and compromise user privacy. The attack can be carried out by a user with author\u2011level privileges who modifies a post\u2019s discourse_permalink field and triggers comment synchronization, after which the credentials are sent to the specified host."}}}}, "created": "2025-11-03T10:43:41.609881+00:00", "updated": "2026-04-22T12:15:16.046217+00:00", "vendors": ["scossar", "scossar$PRODUCT$wp_discourse", "wordpress", "wordpress$PRODUCT$wordpress"]}