CVE-2025-13493 – This vulnerability in the Latest Registered Use... (How to Fix)

Q: What is the severity of CVE-2025-13493?

CVE-2025-13493 has a CVSS score of 7.5 (HIGH). This vulnerability in the Latest Registered Users WordPress plugin allows unauthenticated attackers to export complete user data (excluding passwords) in CSV format. It affects all WordPress sites using this plugin up to version 1.4. The issue stems from missing authorization checks and nonce validation in form handling functions.

📋 TL;DR

This vulnerability in the Latest Registered Users WordPress plugin allows unauthenticated attackers to export complete user data (excluding passwords) in CSV format. It affects all WordPress sites using this plugin up to version 1.4. The issue stems from missing authorization checks and nonce validation in form handling functions.

💻 Affected Systems

Products:

WordPress Latest Registered Users plugin

Versions: All versions up to and including 1.4

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any WordPress installation with the vulnerable plugin activated. No special configuration required for exploitation.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass data exfiltration of all user information including usernames, emails, registration dates, and other personal data, leading to privacy violations, targeted phishing campaigns, and potential regulatory penalties.

🟠

Likely Case

Unauthorized access to user lists enabling targeted attacks, spam campaigns, or reconnaissance for credential stuffing attacks against users.

🟢

If Mitigated

Limited exposure if plugin is disabled or access controls prevent external exploitation, though internal users could still potentially exploit the vulnerability.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only a simple HTTP request with the 'action' parameter set to trigger the vulnerable function. No authentication or special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check WordPress plugin repository for updates beyond 1.4

Vendor Advisory: https://plugins.trac.wordpress.org/browser/latest-registered-users/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Latest Registered Users' plugin. 4. Click 'Update Now' if update available. 5. If no update available, disable and remove the plugin.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Latest Registered Users plugin until a patch is available

wp plugin deactivate latest-registered-users

Restrict access via web server

linux

Block access to admin-post.php endpoints for unauthenticated users

# Add to .htaccess for Apache:
<Files "admin-post.php">
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Files>
# Add to nginx config:
location ~* /wp-admin/admin-post.php {
    deny all;
    allow 127.0.0.1;
}

🧯 If You Can't Patch

Disable the Latest Registered Users plugin immediately
Implement web application firewall rules to block requests to admin-post.php with suspicious parameters

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'Latest Registered Users' version 1.4 or earlier

Check Version:

wp plugin list --name=latest-registered-users --field=version

Verify Fix Applied:

Verify plugin is either updated to version after 1.4 or completely removed from the plugins directory

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /wp-admin/admin-post.php with 'action' parameter
CSV file downloads from admin-post.php endpoint
Unusual spikes in requests to admin-post.php from single IPs

Network Indicators:

HTTP POST requests with Content-Type: application/x-www-form-urlencoded to admin-post.php
Responses with Content-Type: text/csv containing user data

SIEM Query:

source="web_server" AND (url_path="/wp-admin/admin-post.php" AND http_method="POST" AND (form_data.action="my_simple_form" OR response_content_type="text/csv"))

📊 Metadata

CVE ID: CVE-2025-13493

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-862

EPSS Score: 0.04% exploit probability (13.1th percentile)

Published: January 7, 2026

Last Updated: January 8, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13493, you might also want to check these: