{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13403", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-19T14:00:48.283Z", "datePublished": "2025-12-13T03:20:23.767Z", "dateUpdated": "2026-04-08T16:37:51.973Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:51.973Z"}, "affected": [{"vendor": "emarket-design", "product": "Employee Spotlight \u2013 Team Member Showcase & Meet the Team Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Employee Spotlight \u2013 Team Member Showcase & Meet the Team Plugin for WordPress is vulnerable to unauthorized tracking settings modification due to missing authorization validation on the employee_spotlight_check_optin() function in all versions up to, and including, 5.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable or disable tracking settings."}], "title": "Employee Spotlight \u2013 Team Member Showcase & Meet the Team Plugin <= 5.1.3 - Missing Authorization to Authenticated (Subscriber+) Tracking Opt-In/Opt-Out Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19738a82-8c31-45bb-a869-68e357299eb5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/employee-spotlight/trunk/includes/plugin-feedback-functions.php#L19"}, {"url": "https://plugins.trac.wordpress.org/browser/employee-spotlight/tags/5.1.3/includes/plugin-feedback-functions.php#L19"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3418117%40employee-spotlight&new=3418117%40employee-spotlight&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2025-11-19T14:15:57.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-12T14:37:44.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T15:25:20.120035Z", "id": "CVE-2025-13403", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:34:56.218Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13403", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T15:25:20.120035Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:25:21.155Z"}}], "cna": {"title": "Employee Spotlight \u2013 Team Member Showcase & Meet the Team Plugin <= 5.1.3 - Missing Authorization to Authenticated (Subscriber+) Tracking Opt-In/Opt-Out Modification", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "emarket-design", "product": "Employee Spotlight \u2013 Team Member Showcase & Meet the Team Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.1.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-19T14:15:57.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-12T14:37:44.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19738a82-8c31-45bb-a869-68e357299eb5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/employee-spotlight/trunk/includes/plugin-feedback-functions.php#L19"}, {"url": "https://plugins.trac.wordpress.org/browser/employee-spotlight/tags/5.1.3/includes/plugin-feedback-functions.php#L19"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3418117%40employee-spotlight&new=3418117%40employee-spotlight&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Employee Spotlight \u2013 Team Member Showcase & Meet the Team Plugin for WordPress is vulnerable to unauthorized tracking settings modification due to missing authorization validation on the employee_spotlight_check_optin() function in all versions up to, and including, 5.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable or disable tracking settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:51.973Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13403", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:37:51.973Z", "dateReserved": "2025-11-19T14:00:48.283Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-13T03:20:23.767Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Employee Spotlight \u2013 Team Member Showcase & Meet the Team Plugin for WordPress is vulnerable to unauthorized tracking settings modification due to missing authorization validation on the employee_spotlight_check_optin() function in all versions up to, and including, 5.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable or disable tracking settings."}], "id": "CVE-2025-13403", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-12-13T16:16:47.447", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/employee-spotlight/tags/5.1.3/includes/plugin-feedback-functions.php#L19"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/employee-spotlight/trunk/includes/plugin-feedback-functions.php#L19"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3418117%40employee-spotlight&new=3418117%40employee-spotlight&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19738a82-8c31-45bb-a869-68e357299eb5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:11:32.792044+00:00", "value": {"mitigation_remediation": ["Upgrade the Employee Spotlight plugin to version 5.1.4 or later, which restores proper authorization for tracking settings.", "If an immediate upgrade is not possible, restrict users with Subscriber role or below from accessing the plugin\u2019s settings page using a role\u2011management plugin or custom code that removes the capability.", "As a temporary measure, set the tracking option to the desired default value in the database or within the plugin\u2019s configuration file to override any unauthorized changes."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Modification of Tracking Settings"}, "threat_synthesis": {"affected_systems": "WordPress installations running the Employee Spotlight \u2013 Team Member Showcase & Meet the Team plugin version 5.1.3 or earlier are affected.", "description_and_impact": "The Employee Spotlight \u2013 Team Member Showcase & Meet the Team plugin suffers from a missing authorization check in the employee_spotlight_check_optin() function, allowing authenticated users with Subscriber level access or higher to change opt\u2011in or opt\u2011out tracking settings. This flaw does not grant code execution or privilege escalation, but it permits an attacker to alter the tracking behavior of the site, potentially enabling unwanted data collection or disabling privacy safeguards.", "risk_and_exploitability": "With a CVSS score of 4.3, the vulnerability is considered medium severity. The EPSS score of less than 1% indicates a low probability of exploitation, and the issue is not listed in CISA\u2019s KEV catalog. Exploitation requires only authenticated access with Subscriber or higher privilege, so the attack surface is limited to sites that assign such roles to users who can access the plugin\u2019s settings page. The impact remains confined to the tracking configuration and does not compromise broader system integrity or confidentiality."}}}}, "created": "2025-12-14T21:15:06.030481+00:00", "updated": "2026-04-22T16:15:21.791622+00:00", "vendors": ["emarket-design", "emarket-design$PRODUCT$employee_spotlight", "wordpress", "wordpress$PRODUCT$wordpress"]}