WordPress Plugin Vulnerabilities

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories < 4.9.3 - Missing Authorization to Authenticated (Contributor+) Authors' Emails Exposure

Description

The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getAuthors function in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to retrieve emails for all users with edit_posts capability.

Affects Plugins

Plugin icon
post-expirator
Fixed in 4.9.3

References

CVE
CVE-2025-13741
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2f67da8c-da60-4c77-a8b8-7dfc027662e9

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Athiwat Tiprasaharn (Jitlada)
Verified
No
WPVDB ID
9a6a12e5-f099-46ff-ac26-c8d6cfd8a3b3

Timeline

Publicly Published
2025-12-15 (about 4 months ago)
Added
2025-12-15 (about 4 months ago)
Last Updated
2025-12-16 (about 4 months ago)

Other

Published
Title
Published
2025-09-22
Title
Ibtana < 1.2.5.4 - Missing Authorization to Authenticated (Contributor+) Arbitrary Content Deletion
Published
2024-08-16
Title
Order Tracking < 3.3.13 - Missing Authorization via send_test_email()
Published
2025-12-11
Title
Grider for Elementor <= 1.0.8 - Missing Authorization
Published
2026-01-27
Title
Sunshine Photo Cart < 3.5.7.1 - Missing Authorization
Published
2025-06-12
Title
WP Travel Engine < 6.5.2 - Missing Authorization to Unauthenticated Arbitrary Post Deletion