CVE-2025-13741
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to retrieve email addresses of all users who can edit posts. The Schedule Post Changes With PublishPress Future plugin versions up to 4.9.2 are affected.
💻 Affected Systems
- Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could harvest all editor email addresses for phishing campaigns, credential stuffing attacks, or targeted social engineering against administrators.
Likely Case
Low-privilege users could access email addresses of higher-privileged users, potentially enabling targeted attacks against administrators.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized data access without system compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial once authenticated. The vulnerability is in a REST API endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.9.3 or later
Vendor Advisory: https://wordpress.org/plugins/post-expirator/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'PublishPress Future' plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 4.9.3+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the PublishPress Future plugin until patched
wp plugin deactivate post-expirator
Restrict user roles
allLimit Contributor and higher roles to trusted users only
🧯 If You Can't Patch
- Implement strict access controls and monitor user activity logs
- Consider using web application firewall rules to block suspicious API requests
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for PublishPress Future version 4.9.2 or lowerCheck Version:
wp plugin get post-expirator --field=versionVerify Fix Applied:
Verify plugin version is 4.9.3 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual GET requests to /wp-json/publishpress-future/v1/authors endpoint from Contributor-level users
- Multiple requests to user enumeration endpoints
Network Indicators:
- HTTP requests to vulnerable REST API endpoint from authenticated sessions
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-json/publishpress-future/v1/authors" OR plugin="post-expirator")