{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13741", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-26T13:44:15.219Z", "datePublished": "2025-12-16T11:15:44.735Z", "dateUpdated": "2026-04-08T16:44:39.699Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:39.699Z"}, "affected": [{"vendor": "publishpress", "product": "Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.9.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getAuthors function in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to retrieve emails for all users with edit_posts capability."}], "title": "Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.2 - Missing Authorization to Authenticated (Contributor+) Authors' Emails Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2f67da8c-da60-4c77-a8b8-7dfc027662e9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/post-expirator/tags/4.9.1/src/Modules/Workflows/Rest/RestApiV1.php#L376"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-11-17T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-11-26T14:03:08.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-15T22:49:04.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-16T14:46:40.768974Z", "id": "CVE-2025-13741", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-16T14:47:08.134Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13741", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-16T14:46:40.768974Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-16T14:46:59.082Z"}}], "cna": {"title": "Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.2 - Missing Authorization to Authenticated (Contributor+) Authors' Emails Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "publishpress", "product": "Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.9.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-17T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-11-26T14:03:08.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-15T22:49:04.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2f67da8c-da60-4c77-a8b8-7dfc027662e9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/post-expirator/tags/4.9.1/src/Modules/Workflows/Rest/RestApiV1.php#L376"}], "descriptions": [{"lang": "en", "value": "The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getAuthors function in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to retrieve emails for all users with edit_posts capability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-16T11:15:44.735Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13741", "state": "PUBLISHED", "dateUpdated": "2025-12-16T14:47:08.134Z", "dateReserved": "2025-11-26T13:44:15.219Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-16T11:15:44.735Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getAuthors function in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to retrieve emails for all users with edit_posts capability."}], "id": "CVE-2025-13741", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-16T12:15:46.343", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/post-expirator/tags/4.9.1/src/Modules/Workflows/Rest/RestApiV1.php#L376"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2f67da8c-da60-4c77-a8b8-7dfc027662e9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T20:30:45.926182+00:00", "value": {"mitigation_remediation": ["Update the PublishPress Future plugin to version 4.9.3 or later when it becomes available", "Disable or remove the getAuthors functionality by editing the plugin files if an update is not immediately possible", "Enforce stricter role permissions by ensuring that Contributor accounts do not have edit_posts capability on the site"], "summary": {"action": "Patch", "impact": "Unauthorized access to user email addresses"}, "threat_synthesis": {"affected_systems": "The affected system is any WordPress site running the PublishPress Future plugin on versions up to and including 4.9.2, such as sites using the Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories module.", "description_and_impact": "The vulnerability is a missing capability check in the getAuthors function of the PublishPress Future plugin, which enables authenticated users with Contributor-level access or higher to read the email addresses of all users who have the edit_posts capability. This flaw does not allow code execution or other destructive actions, but it does expose personally identifiable information that could be used for phishing or social engineering attacks.", "risk_and_exploitability": "The CVSS score is 4.3, indicating a moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need only Contributor-level or higher access on the affected WordPress installation; no external exploitation vector is required. Therefore the risk is limited to sites where users with such roles exist and may be exploitable if those accounts are compromised."}}}}, "created": "2025-12-16T17:08:48.301136+00:00", "updated": "2026-04-22T20:45:27.078807+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}