Executive Summary

CVE-2025-13496 is a vulnerability in the Moosend Landing Pages WordPress plugin where the function moosend_landings_auth_get handles user authentication by sending user credentials (email and password) via an insecure GET request to an external API. This means sensitive login information is exposed in URLs, which can be logged or intercepted. Additionally, the plugin lacks proper security measures such as nonce verification or capability checks, allowing authenticated users with Subscriber-level access or higher to delete the 'moosend_landing_api_key' option value, leading to unauthorized modification of data. [2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to exposure of user credentials due to insecure transmission via GET parameters, which can be logged or intercepted. Attackers with Subscriber-level access or above can delete critical API key data, potentially disrupting plugin functionality or gaining unauthorized access. The lack of proper security checks also increases the risk of Cross-Site Request Forgery (CSRF) attacks and unauthorized data modification. [2, 3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring network traffic for GET requests to the external authentication API endpoint https://authentication.m-operations.com/api/user/authenticate.json containing sensitive credentials in URL parameters. You can use network capture tools like tcpdump or Wireshark to filter such requests. For example, a tcpdump command to detect these GET requests could be: tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep 'authentication.m-operations.com/api/user/authenticate.json'. Additionally, inspecting WordPress logs or plugin files for the presence of the vulnerable moosend_landings_auth_get function in auth-request.php can help identify affected installations. [2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the Moosend Landing Pages plugin to trusted users only, especially limiting Subscriber-level access to prevent unauthorized API key deletion. Disable or remove the vulnerable plugin version (up to and including 1.1.6) until a patched version is available. Monitor and block outgoing requests to the external authentication API endpoint to prevent credential exposure. Additionally, implement network-level monitoring and alerts for suspicious GET requests containing credentials. Applying WordPress security best practices such as enforcing HTTPS, using capability checks, and adding nonce verification on forms can also help mitigate risks. [2, 3]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability involves insecure transmission of user credentials via GET requests, which can expose sensitive data such as email and password in URLs, logs, or browser history. This exposure risks unauthorized access and potential data breaches, which could lead to non-compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information. Therefore, this vulnerability negatively impacts compliance by increasing the risk of unauthorized data disclosure and insufficient protection of user credentials. [2, 3]

Useful 0 Not Useful 0