CVE-2025-10638

The NS Maintenance Mode for WP WordPress plugin through version 1.3.1 contains a missing authorization vulnerability in its subscriber export functionality. The plugin fails to check for proper permissions or authentication before processing a request to export subscriber data, allowing anyone to trigger this function without any credentials [1].

An unauthenticated attacker can directly call the export function via an HTTP request, and the plugin will generate a file containing subscriber information. No user interaction or administrative privileges are required for exploitation, making this easily accessible to anyone who can reach the WordPress site's endpoints [1].

As a result, an attacker can obtain a full list of the website's subscribers, including their names and email addresses. This exposure can lead to privacy violations, targeted phishing campaigns, or spam, as the data is presented in a downloadable format [1].

The vulnerability affects all versions up to and including 1.3.1. At the time of disclosure, no official fix or patched version was available, and the plugin was listed with no known fix [1]. Site administrators using this plugin are advised to remove or replace it to prevent unauthorized data leaks.