CVE-2025-13496 Overview
CVE-2025-13496 affects the Moosend Landing Pages plugin for WordPress in all versions up to and including 1.1.6. The plugin's moosend_landings_auth_get function lacks a capability check, allowing authenticated users with Subscriber-level access or higher to delete the moosend_landing_api_key option value. The flaw is classified as Missing Authorization [CWE-862] and impacts data integrity by enabling low-privileged accounts to remove configuration data they should not be permitted to modify.
Critical Impact
Authenticated Subscriber-level attackers can delete the stored Moosend landing pages API key, disrupting integration between the WordPress site and the Moosend service.
Affected Products
- Moosend Landing Pages plugin for WordPress, versions up to and including 1.1.6
- WordPress sites with Subscriber-level or higher user registration enabled
- Sites using the Moosend email marketing integration through this plugin
Discovery Timeline
- 2026-01-07 - CVE CVE-2025-13496 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-13496
Vulnerability Analysis
The vulnerability resides in the moosend_landings_auth_get function defined in forms/auth-request.php within the Moosend Landing Pages plugin. The function is exposed through WordPress's AJAX handlers but does not validate the caller's WordPress capabilities before processing requests. Any authenticated user, including a Subscriber, can invoke the endpoint and trigger logic that removes the moosend_landing_api_key option from the wp_options table.
Deleting the API key severs the authenticated connection between the WordPress installation and Moosend. Landing pages and form submissions that rely on the API key stop functioning until an administrator regenerates and reinstalls the credential. While the issue does not expose sensitive data or allow code execution, it enables a low-privileged user to degrade site functionality.
Root Cause
The root cause is the absence of a current_user_can() capability check and a missing nonce verification in the moosend_landings_auth_get handler. WordPress's authorization model requires plugins to explicitly verify that the requesting user holds appropriate capabilities. The plugin treats authentication as sufficient authorization, which violates the principle of least privilege.
Attack Vector
An attacker first obtains Subscriber-level credentials, which can be acquired on any WordPress site that permits open user registration. The attacker then issues an authenticated request to the vulnerable AJAX endpoint backed by moosend_landings_auth_get. The handler processes the request without permission checks and deletes the option value, breaking the Moosend integration. No user interaction is required beyond authenticating as a low-privileged user. Refer to the WordPress Plugin Code Reference and the Wordfence Vulnerability Report for the implementation details.
Detection Methods for CVE-2025-13496
Indicators of Compromise
- Unexpected absence or empty value of the moosend_landing_api_key entry in the wp_options table.
- Moosend landing pages or forms failing to load or returning authentication errors after a known-working state.
- AJAX requests in web server logs targeting admin-ajax.php with the moosend_landings_auth_get action originating from non-administrator sessions.
Detection Strategies
- Audit WordPress access logs for POST requests to admin-ajax.php invoking actions associated with the Moosend plugin from Subscriber-tier accounts.
- Compare current wp_options values against backups to detect unauthorized deletion of the moosend_landing_api_key.
- Enable WordPress activity logging to capture option changes and AJAX handler invocations along with the responsible user ID.
Monitoring Recommendations
- Alert on any modification or deletion of plugin-related rows in wp_options outside of administrator sessions.
- Track creation patterns for low-privileged accounts followed by AJAX requests to plugin endpoints.
- Monitor outbound API errors from the Moosend integration as a downstream signal of credential removal.
How to Mitigate CVE-2025-13496
Immediate Actions Required
- Update the Moosend Landing Pages plugin to a version newer than 1.1.6 once the vendor releases a fix.
- Disable the plugin on sites that cannot be updated promptly, especially if open Subscriber registration is enabled.
- Restrict new user registrations or set the default new user role to a custom role with no AJAX action exposure where feasible.
Patch Information
At the time of publication, the vulnerability affects all versions through 1.1.6. Site administrators should consult the Wordfence Vulnerability Report and the WordPress plugin repository for the latest fixed release. Once a patched version is published, apply it through the WordPress admin dashboard or by replacing the plugin files directly.
Workarounds
- Disable open user registration in WordPress settings to remove the prerequisite for exploitation.
- Deploy a web application firewall rule to block unauthenticated and Subscriber-level requests to the moosend_landings_auth_get AJAX action.
- Back up the moosend_landing_api_key option value and the broader wp_options table to allow rapid restoration if deletion occurs.
# Example WP-CLI commands to inspect and back up the affected option
wp option get moosend_landing_api_key
wp option get moosend_landing_api_key > moosend_landing_api_key.backup
# Optionally disable open registration as a hardening step
wp option update users_can_register 0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
