Description
The New User Approve plugin for WordPress is vulnerable to unauthorized data disclosure in all versions up to, and including, 3.0.9 due to insufficient API key validation using loose equality comparison. This makes it possible for unauthenticated attackers to retrieve personally identifiable information (PII), including usernames and email addresses of users with various approval statuses via the Zapier REST API endpoints, by exploiting PHP type juggling with the api_key parameter set to "0" on sites where the Zapier API key has not been configured.
Published: 2025-11-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Disclosure of Personally Identifiable Information
Action: Patch Immediately
AI Analysis

Impact

The vulnerability arises from the New User Approve WordPress plugin’s insecure validation of the Zapier REST API key. The plugin compares the supplied api_key parameter to a stored value using loose PHP equality, allowing a typed value such as "0" to bypass authentication when the Zapier key is unset. This flaw enables attackers to invoke endpoints that list usernames and email addresses of all users, regardless of their approval status, thereby leaking sensitive personal data.

Affected Systems

WordPress sites running the New User Approve plugin version 3.0.9 or earlier are affected. The issue originates in the zapier REST API endpoint files located under includes/zapier/includes/rest-api.php. If a site has not configured a Zapier API key, it is particularly vulnerable.

Risk and Exploitability

The CVSS v3 score is 5.3, indicating moderate severity, and the EPSS score is less than 1%, suggesting a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalogue. Exploitation requires only an unauthenticated request to the exposed REST endpoint with the api_key set to "0", which is straightforward for an attacker to perform over HTTP or HTTPS routes that expose the API.

Generated by OpenCVE AI on April 21, 2026 at 18:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 3.1.0 or later of the New User Approve plugin, which removes the insecure key comparison
  • If an update cannot be applied immediately, set a valid Zapier API key in the plugin configuration to enforce authenticated access
  • Disable or remove the Zapier REST API functionality if it is not required for site operations
  • Consider restricting access to the REST API endpoints through network firewalls, access‑control lists, or WordPress role restrictions

Generated by OpenCVE AI on April 21, 2026 at 18:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 20 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 19 Nov 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 19 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The New User Approve plugin for WordPress is vulnerable to unauthorized data disclosure in all versions up to, and including, 3.0.9 due to insufficient API key validation using loose equality comparison. This makes it possible for unauthenticated attackers to retrieve personally identifiable information (PII), including usernames and email addresses of users with various approval statuses via the Zapier REST API endpoints, by exploiting PHP type juggling with the api_key parameter set to "0" on sites where the Zapier API key has not been configured.
Title New User Approve <= 3.0.9 - Unauthenticated Sensitive Information Disclosure via Type Juggling
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:08.179Z

Reserved: 2025-11-05T19:45:17.059Z

Link: CVE-2025-12770

cve-icon Vulnrichment

Updated: 2025-11-19T19:10:14.301Z

cve-icon NVD

Status : Deferred

Published: 2025-11-19T04:16:04.920

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12770

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:15:36Z

Weaknesses