Scan free
Pending AnalysisCVE-2025-9987

CVE-2025-9987: Information Disclosure in Broadstreet WordPress Plugin

Platform

wordpress

Component

broadstreet

Fixed in

1.53.2

View on NVD
Save

CVE-2025-9987 is an Information Disclosure vulnerability discovered in the Broadstreet WordPress plugin. An authenticated attacker with subscriber-level access or higher can exploit this flaw to extract sensitive business details, including password-protected and private information. This vulnerability impacts versions 1.0.0 through 1.53.1, and a patch is available in version 1.53.2.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The primary impact of CVE-2025-9987 is the unauthorized exposure of sensitive business data. Attackers can leverage the getsponsoredmeta() AJAX action to retrieve information that is intended to be private or password-protected. This could include confidential pricing, internal notes, or other proprietary details. While the vulnerability requires authentication, the relatively low access level (subscriber) makes it accessible to a significant portion of WordPress users. The potential blast radius is limited to the data exposed through the plugin, but the compromise of such information could lead to competitive disadvantage or reputational damage.

Exploitation Context

The vulnerability was published on 2026-05-13. As of this date, there are no publicly available exploits or active campaigns targeting CVE-2025-9987. The vulnerability's CVSS score of 5.3 (Medium) indicates a moderate probability of exploitation. It is not listed on KEV or EPSS. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N5.3MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentbroadstreet
Vendorwordfence
Minimum version1.0.0
Maximum version1.53.1
Fixed in1.53.2

Weakness Classification (CWE)

CWE-200

Timeline

  1. Reserved
  2. Published

Mitigation and Workarounds

The primary mitigation for CVE-2025-9987 is to upgrade the Broadstreet WordPress plugin to version 1.53.2 or later. If upgrading is not immediately feasible, consider temporarily restricting access to the getsponsoredmeta() AJAX action using a WordPress firewall (WAF) or security plugin. Specifically, block requests to this endpoint from users with subscriber or lower roles. Monitor WordPress logs for unusual activity related to the getsponsoredmeta() action. After upgrading, verify the fix by attempting to access password-protected content through the plugin's AJAX endpoint with a subscriber-level user account; access should be denied.

How to fix

Update to version 1.53.2, or a newer patched version

Frequently asked questions

What is CVE-2025-9987 — Information Disclosure in Broadstreet WordPress Plugin?

CVE-2025-9987 is a Medium severity vulnerability in the Broadstreet WordPress plugin allowing authenticated attackers to extract sensitive business details from password-protected content. It affects versions 1.0.0–1.53.1.

Am I affected by CVE-2025-9987 in Broadstreet WordPress Plugin?

You are affected if your WordPress website uses the Broadstreet plugin and is running version 1.0.0 through 1.53.1. Ensure you upgrade to mitigate the risk.

How do I fix CVE-2025-9987 in Broadstreet WordPress Plugin?

Upgrade the Broadstreet WordPress plugin to version 1.53.2 or later. As a temporary workaround, restrict access to the getsponsoredmeta() AJAX action.

Is CVE-2025-9987 being actively exploited?

As of 2026-05-13, there are no publicly known active exploitation campaigns targeting CVE-2025-9987, but continued monitoring is advised.

Where can I find the official Broadstreet advisory for CVE-2025-9987?

Refer to the official Broadstreet plugin website or WordPress plugin repository for the latest advisory and update information regarding CVE-2025-9987.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free
livefree scan

Scan your WordPress project now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...