Information Exposure Vulnerability in WP Discourse Plugin by WordPress
CVE-2025-11983

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: WP Discourse
Vendor: CVE Published:; 1 November 2025

What is CVE-2025-11983?

The WP Discourse plugin for WordPress is susceptible to an information exposure issue present in all versions up to and including 2.5.9. The vulnerability arises from the plugin's practice of unconditionally transmitting Discourse API credentials—specifically, the Api-Key and Api-Username headers—to any specified host in a post's discourse_permalink custom field during comment synchronization. This flaw allows authenticated users with author-level access or higher to extract sensitive credentials. As a result, attackers can potentially exfiltrate these credentials to their own servers, access internal services, and carry out additional attacks, posing a significant risk to the security of WordPress installations utilizing this plugin.

Affected Version(s)

WP Discourse * <= 2.5.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-discourse/t...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 1, 2025
Vulnerability Reserved
Oct 20, 2025

Credit

Jonas Benjamin Friedli

JSON