PT-2025-44710 · WordPress · Wp Discourse+1
Published
2025-11-01
·
Updated
2025-11-21
·
CVE-2025-11983
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
WP Discourse plugin for WordPress versions through 2.5.9
Description
The WP Discourse plugin for WordPress is susceptible to information disclosure. The plugin unconditionally transmits Discourse API credentials (Api-Key and Api-Username headers) to any host specified in a post's
discourse permalink custom field during comment synchronization. This allows authenticated attackers with author-level access or higher to potentially exfiltrate sensitive Discourse API credentials to attacker-controlled servers and query internal services. The API credentials are sent via the following headers: Api-Key and Api-Username.Recommendations
Update the WP Discourse plugin to a version later than 2.5.9.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp Discourse
Wordpress