Unauthorized Data Access in PublishPress Future Plugin for WordPress
CVE-2025-13741

4.3MEDIUM

Key Information:

Vendor

WordPress
Status
Schedule Post Changes With PublisHPress Future: Unpublish, Delete, Change Status, Trash, Change Categories
Vendor
CVE Published:
16 December 2025

What is CVE-2025-13741?

The PublishPress Future plugin for WordPress suffers from a flaw that allows for unauthorized access to sensitive user data. Due to a missing capability check in the getAuthors function, attackers with Contributor-level access or higher can exploit this vulnerability to retrieve the email addresses of all users who have the edit_posts capability. This security issue impacts all versions up to and including 4.9.2, leaving many WordPress sites at risk of data leakage.

Affected Version(s)

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories * <= 4.9.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/post-expirator...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Athiwat Tiprasaharn
JSON
.
CVE-2025-13741 : Unauthorized Data Access in PublishPress Future Plugin for WordPress