CVE-2025-9987: Information Disclosure in Broadstreet WordPress Plugin
Plattform
wordpress
Komponente
broadstreet
Behoben in
1.53.2
CVE-2025-9987 is an Information Disclosure vulnerability affecting the Broadstreet WordPress plugin. An authenticated attacker with subscriber-level access or higher can exploit this flaw to extract sensitive business details, potentially including password-protected information. The vulnerability impacts versions 1.0.0 through 1.53.1, and a fix is available in version 1.53.2.
Erkenne diese CVE in deinem Projekt
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Auswirkungen und Angriffsszenarien
Successful exploitation of CVE-2025-9987 allows an attacker to gain access to sensitive business data stored within the Broadstreet plugin. This data could include private business details, potentially revealing confidential information about the organization using the plugin. While the vulnerability requires authentication (subscriber level or higher), the relatively low access threshold makes it a significant risk, especially in environments with weak password policies or compromised user accounts. The potential impact extends beyond simple data exposure; this information could be used for social engineering attacks, further compromising the organization’s security.
Ausnutzungskontext
CVE-2025-9987 is currently not listed on KEV (Known Exploited Vulnerabilities). The EPSS (Exploit Prediction Scoring System) score is pending evaluation. Public proof-of-concept (POC) code has not been widely reported, suggesting limited active exploitation at this time. The vulnerability was published on 2026-05-13, and it is recommended to monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Bedrohungsanalyse
Exploit-Status
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Keine — ohne Authentifizierung ausnutzbar. Keine Zugangsdaten erforderlich.
- User Interaction
- Keine — automatischer und lautloser Angriff. Das Opfer tut nichts.
- Scope
- Unverändert — Auswirkung auf das anfällige Komponente beschränkt.
- Confidentiality
- Niedrig — partieller oder indirekter Zugriff auf einige Daten.
- Integrity
- Keine — kein Integritätseinfluss.
- Availability
- Keine — kein Verfügbarkeitseinfluss.
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserved
- Veröffentlicht
Mitigation und Workarounds
The primary mitigation for CVE-2025-9987 is to immediately upgrade the Broadstreet WordPress plugin to version 1.53.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily restricting access to the getsponsoredmeta() AJAX action. While not a complete solution, this can reduce the attack surface. Review WordPress user roles and permissions to ensure that only necessary users have subscriber-level access or higher. After upgrading, verify the fix by attempting to access the getsponsoredmeta() AJAX action with a subscriber-level user account and confirming that sensitive data is no longer exposed.
So beheben
Aktualisieren Sie auf Version 1.53.2 oder eine neuere gepatchte Version
Häufig gestellte Fragen
What is CVE-2025-9987 — Information Disclosure in Broadstreet WordPress Plugin?
CVE-2025-9987 is a vulnerability in the Broadstreet WordPress plugin allowing authenticated attackers to extract sensitive business details. It affects versions 1.0.0–1.53.1 and has a Medium severity rating.
Am I affected by CVE-2025-9987 in Broadstreet WordPress Plugin?
You are affected if you are using the Broadstreet WordPress plugin in versions 1.0.0 through 1.53.1. Check your plugin version and upgrade immediately if necessary.
How do I fix CVE-2025-9987 in Broadstreet WordPress Plugin?
Upgrade the Broadstreet WordPress plugin to version 1.53.2 or later to resolve the vulnerability. If immediate upgrade is not possible, temporarily restrict access to the getsponsoredmeta() AJAX action.
Is CVE-2025-9987 being actively exploited?
Currently, there are no widespread reports of active exploitation for CVE-2025-9987. However, it is crucial to apply the fix promptly to prevent potential future attacks.
Where can I find the official Broadstreet advisory for CVE-2025-9987?
Refer to the official Broadstreet plugin website or WordPress plugin repository for the latest security advisory and update information regarding CVE-2025-9987.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Erkenne diese CVE in deinem Projekt
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Scannen Sie jetzt Ihr WordPress-Projekt – kein Konto
Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...