Description
The Latest Registered Users plugin for WordPress is vulnerable to unauthorized user data export in all versions up to, and including, 1.4. This is due to missing authorization and nonce validation in the rnd_handle_form_submit function hooked to both admin_post_my_simple_form and admin_post_nopriv_my_simple_form actions. This makes it possible for unauthenticated attackers to export complete user details (excluding passwords and sensitive tokens) in CSV format via the 'action' parameter.
Published: 2026-01-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized User Data Export
Action: Apply Patch
AI Analysis

Impact

The Latest Registered Users plugin for WordPress allows unauthenticated users to trigger a data export that outputs all registered user details in CSV format. The vulnerability arises from missing authorization checks and nonce validation in the rnd_handle_form_submit function, which is called through both admin_post_my_simple_form and admin_post_nopriv_my_simple_form actions. Although passwords and sensitive tokens are omitted, the exposed data (user names, emails, registration dates, etc.) can still compromise privacy and may aid phishing or credential‑stuffing attacks. This flaw is identified as a missing authorization vulnerability (CWE‑862).

Affected Systems

Any WordPress installation that includes the Latest Registered Users plugin in version 1.4 or earlier is affected. Site administrators must review the plugin version in use and identify any instances of these vulnerable releases across their sites.

Risk and Exploitability

The CVSS score of 7.5 indicates a high potential impact if exploited, yet the EPSS score of less than 1% suggests that the likelihood of real‑world exploitation is currently low. The flaw is not listed in CISA’s KEV catalog. A threat actor can achieve the data export simply by sending an unauthenticated POST request to the plugin’s action endpoint with the appropriate parameters, requiring no user privileges or login credentials.

Generated by OpenCVE AI on April 21, 2026 at 00:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Latest Registered Users plugin to a version newer than 1.4 in which proper authorization and nonce checks have been implemented.
  • If an update is not immediately possible, disable or remove the plugin from the site until a secure version is available.
  • Configure web‑server or application‑level access controls to restrict unauthenticated access to the admin_post_my_simple_form and admin_post_nopriv_my_simple_form actions, ensuring that only authenticated users can trigger the export functionality.

Generated by OpenCVE AI on April 21, 2026 at 00:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Latest Registered Users plugin for WordPress is vulnerable to unauthorized user data export in all versions up to, and including, 1.4. This is due to missing authorization and nonce validation in the rnd_handle_form_submit function hooked to both admin_post_my_simple_form and admin_post_nopriv_my_simple_form actions. This makes it possible for unauthenticated attackers to export complete user details (excluding passwords and sensitive tokens) in CSV format via the 'action' parameter.
Title Latest Registered Users <= 1.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via User Data Export
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:06.735Z

Reserved: 2025-11-20T21:55:48.114Z

Link: CVE-2025-13493

cve-icon Vulnrichment

Updated: 2026-01-07T14:47:02.877Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:48.030

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13493

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:45:23Z

Weaknesses