CVE-2025-14464 in PDF Resume Parser Plugin
Summary
by MITRE • 01/14/2026
The PDF Resume Parser plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0. This is due to the plugin registering an AJAX action handler that is accessible to unauthenticated users and exposes SMTP configuration data including credentials. This makes it possible for unauthenticated attackers to extract sensitive SMTP credentials (username and password) from the WordPress configuration, which could be leveraged to compromise email accounts and potentially gain unauthorized access to other systems using the same credentials.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/31/2026
The PDF Resume Parser plugin for WordPress represents a critical security vulnerability through its improper handling of sensitive data exposure. This vulnerability affects all versions up to and including 1.0, creating a persistent risk for WordPress installations that utilize this plugin. The flaw manifests through the plugin's registration of an AJAX action handler that lacks proper authentication mechanisms, allowing any unauthenticated user to access functionality that should remain restricted to authorized administrators. The exposure occurs during the plugin's operation when it inadvertently makes SMTP configuration data accessible through a publicly reachable endpoint. This particular vulnerability aligns with CWE-200, which specifically addresses the exposure of sensitive information to an unauthorized actor, and demonstrates how seemingly benign plugin functionality can create substantial security risks when proper access controls are not implemented.
The technical exploitation of this vulnerability occurs through the manipulation of the AJAX endpoint that the plugin registers, which typically handles resume parsing operations but fails to verify user authentication status. Attackers can construct specific requests to this endpoint without requiring any valid credentials, thereby gaining access to the SMTP configuration details stored within the WordPress environment. The exposed credentials include both username and password fields that are typically used for email communication within the WordPress system. This exposure creates a direct pathway for attackers to leverage these credentials for unauthorized email account access, potentially enabling them to send phishing emails, reset passwords for other accounts, or establish persistent access through compromised email accounts. The vulnerability represents a clear violation of the principle of least privilege, as the system grants access to sensitive configuration data without proper authentication verification.
The operational impact of this vulnerability extends beyond simple credential theft and creates a broader security compromise for affected WordPress environments. Once attackers obtain the SMTP credentials, they can potentially use these same credentials to access other systems where the same authentication information has been reused, creating a domino effect of potential compromise. The exposure of SMTP configuration data also provides attackers with insights into the email infrastructure and communication patterns of the affected organization. This information can be leveraged for more sophisticated attacks including social engineering campaigns, where attackers use legitimate email addresses to gain trust and access to additional systems. The vulnerability's persistence across multiple versions indicates a fundamental flaw in the plugin's design that requires immediate remediation to prevent exploitation.
Security mitigation strategies for this vulnerability must focus on immediate remediation and long-term architectural improvements. The most effective immediate solution involves updating to the latest version of the PDF Resume Parser plugin where the vulnerability has been patched, or removing the plugin entirely if no longer needed. Organizations should implement network-level restrictions to prevent access to the vulnerable AJAX endpoint and consider implementing additional authentication layers for any AJAX handlers that process sensitive data. The vulnerability demonstrates the importance of proper input validation and access control implementation, aligning with ATT&CK technique T1566 which covers credential harvesting through various attack vectors. Regular security audits of WordPress plugins should include verification of AJAX endpoint access controls and proper authentication mechanisms to prevent similar vulnerabilities from being introduced into the system.