Authors List < 2.0.6.2 – Authenticated (Contributor+) Sensitive Information Exposure via Limited Method Call in Plugin's Shortcode | CVE 2025-12010 | Plugin Vulnerabilities

Description

The Authors List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.6.1 via the via arbitrary method call from Authors_List_Shortcode class. This makes it possible for authenticated attackers, with Contributor-level access and above, to call methods such as get_meta to extract sensitive user data including password hashes, email addresses, usernames, and activation keys via specially crafted shortcode attributes

Affects Plugins

Fixed in 2.0.6.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5189c1c0-2d4c-47f5-b8d9-3192a670e586

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

kai

Verified

No

WPVDB ID

8c0cf7bb-90bc-48e8-9a04-b725fedb9567

Timeline

Publicly Published

2025-11-10 (about 6 months ago)

Added

2025-11-10 (about 6 months ago)

Last Updated

2025-11-25 (about 5 months ago)

Other

Published

Title

Published

2024-07-23

Title

WP Meteor Website Speed Optimization Addon < 3.4.4 - Unauthenticated Full Path Disclosure

Published

2023-10-02

Title

ProfilePress < 4.13.3 - Information Disclosure via Debug Log

Published

2024-12-26

Title

Barcode Generator for WooCommerce – Show barcodes on products, orders, invoices and other pages < 2.0.3 - Authenticated (Subscriber+) Sensitive Information Disclosure

Published

2024-03-29

Title

Essential Addons for Elementor < 5.9.14 - Unauthenticated Private/Draft Posts Access

Published

2025-10-02

Title

RestroPress – Online Food Ordering System < 3.2.2 - Unauthenticated Information Exposure to Authentication Bypass via Forged JWT