CVE-2025-13660

Name of the Vulnerable Software and Affected Versions Guest Support plugin for WordPress versions prior to 1.2.4

Description The software contains a flaw that allows unauthorized disclosure of user email addresses. An unauthenticated attacker can enumerate user accounts and extract email addresses by accessing a public AJAX endpoint. The vulnerable endpoint is /wp-admin/admin-ajax.php with the guest support handler parameter set to ajax and the request parameter set to get users. This allows retrieval of user information without any authentication or capability checks.

Recommendations Update the Guest Support plugin to version 1.2.4 or later.