CVE-2025-13403 MEDIUM

CVE-2025-13403: Employee Spotlight – Team Member Showcase & Meet the Team Plugin <= 5.1.3 - Missing Authorization to Authenticated (Subscriber+) Tracking Opt-In/Opt-Out Modification

Vendor Emarket-Design
Product Employee Spotlight – Team Member Showcase & Meet the Team Plugin
Weakness CWE-862 · Missing authorization
Published December 13, 2025
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Employee Spotlight – Team Member Showcase & Meet the Team Plugin for WordPress is vulnerable to unauthorized tracking settings modification due to missing authorization validation on the employee_spotlight_check_optin() function in all versions up to, and including, 5.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable or disable tracking settings.

Explanation of Vulnerability in Simple Terms

02Summary

The Employee Spotlight plugin for WordPress contains an authorization flaw that allows authenticated users with low privileges to modify data they should not have access to. An attacker with a basic user account can alter team member information or other plugin data without proper permission checks. The vulnerability affects versions up to 5.1.3 and requires a valid WordPress login to exploit.

What an attacker can do

03Attacker Capabilities

Modify team member profiles and plugin data without proper authorization.

Potential impact on your site

04Site Impact

Unauthorized changes to team member information, potentially damaging site credibility and requiring manual restoration.

Conditions required to exploit

05Prerequisites

Attacker must have a valid WordPress user account with low-level privileges (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

December 13, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE