CVE-2025-13660
📋 TL;DR
The Guest Support WordPress plugin up to version 1.2.3 contains an unauthenticated user email disclosure vulnerability. Attackers can exploit a public AJAX endpoint to enumerate user accounts and retrieve email addresses without authentication. This affects all WordPress sites running vulnerable versions of the Guest Support plugin.
💻 Affected Systems
- WordPress Guest Support plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Mass email harvesting leading to targeted phishing campaigns, spam attacks, or credential stuffing against exposed users
Likely Case
Email address enumeration enabling spam lists, targeted marketing, or reconnaissance for further attacks
If Mitigated
Limited exposure if plugin is disabled or access controls are implemented
🎯 Exploit Status
Simple HTTP request to the vulnerable endpoint with specific parameters
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.4 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Guest Support plugin
4. Click 'Update Now' if available
5. If no update appears, manually download version 1.2.4+ from WordPress.org
6. Deactivate and delete old version
7. Upload and activate new version
🔧 Temporary Workarounds
Disable Guest Support plugin
allTemporarily deactivate the vulnerable plugin until patched
wp plugin deactivate guest-support
Block vulnerable endpoint via .htaccess
linuxRestrict access to the vulnerable AJAX endpoint
RewriteEngine On
RewriteRule ^wp-content/plugins/guest-support/includes/library/ajax\.php$ - [F,L]
🧯 If You Can't Patch
- Disable the Guest Support plugin immediately
- Implement web application firewall rules to block requests to the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Guest Support version. If version is 1.2.3 or lower, you are vulnerable.Check Version:
wp plugin get guest-support --field=versionVerify Fix Applied:
After update, confirm Guest Support plugin version is 1.2.4 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-content/plugins/guest-support/includes/library/ajax.php with guest_support_handler=ajax&request=get_users parameters
Network Indicators:
- Unusual volume of requests to the Guest Support AJAX endpoint from single or multiple IPs
SIEM Query:
source="web_access_logs" AND uri_path="*ajax.php*" AND query_string="*guest_support_handler=ajax*request=get_users*"🔗 References
- https://plugins.trac.wordpress.org/browser/guest-support/tags/1.2.3/includes/library/ajax.php#L22
- https://plugins.trac.wordpress.org/browser/guest-support/trunk/includes/library/ajax.php#L22
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412822%40guest-support&new=3412822%40guest-support&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/01299aba-0dff-47fd-9e90-ee84f00a0f3b?source=cve
