User Enumeration Bypass in Stop User Enumeration Plugin for WordPress
CVE-2025-4302

5.3MEDIUM

Key Information:

Vendor

WordPress
Status
Stop User Enumeration
Vendor
CVE Published:
17 July 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-4302?

The Stop User Enumeration plugin for WordPress, prior to version 1.7.3, is designed to prevent unauthorized user enumeration through REST API calls. However, an exploit exists that allows attackers to bypass this security by URL-encoding the API path, thereby gaining unauthorized access to user data. It is critical for users of this plugin to update to the latest version to mitigate this vulnerability and protect sensitive information.

Affected Version(s)

Stop User Enumeration 0 < 1.7.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-4302 - Proof of Concept

References

https://wpscan.com/vulnerability/19f67d6e-4ffe-4126-ac42-...
exploitvdb-entrytechnical-description

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Stan, Chin Siang Leow
WPScan
.
CVE-2025-4302 : User Enumeration Bypass in Stop User Enumeration Plugin for WordPress