Gratis scannen
Analyse in behandelingCVE-2025-9987

CVE-2025-9987: Information Disclosure in Broadstreet WordPress Plugin

Platform

wordpress

Component

broadstreet

Opgelost in

1.53.2

Bekijk op NVD
Opslaan

CVE-2025-9987 is an Information Disclosure vulnerability discovered in the Broadstreet WordPress plugin. An authenticated attacker with subscriber-level access or higher can exploit this flaw to extract sensitive business details, including password-protected and private information. This vulnerability impacts versions 1.0.0 through 1.53.1, and a patch is available in version 1.53.2.

WordPress

Detecteer deze CVE in je project

Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.

Gratis scannen

Impact en Aanvalsscenarioswordt vertaald…

The primary impact of CVE-2025-9987 is the unauthorized exposure of sensitive business data. Attackers can leverage the getsponsoredmeta() AJAX action to retrieve information that is intended to be private or password-protected. This could include confidential pricing, internal notes, or other proprietary details. While the vulnerability requires authentication, the relatively low access level (subscriber) makes it accessible to a significant portion of WordPress users. The potential blast radius is limited to the data exposed through the plugin, but the compromise of such information could lead to competitive disadvantage or reputational damage.

Uitbuitingscontextwordt vertaald…

The vulnerability was published on 2026-05-13. As of this date, there are no publicly available exploits or active campaigns targeting CVE-2025-9987. The vulnerability's CVSS score of 5.3 (Medium) indicates a moderate probability of exploitation. It is not listed on KEV or EPSS. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.

Dreigingsinformatie

Exploit Status

Proof of ConceptOnbekend
CISA KEVNO
InternetblootstellingHoog
Rapporten1 dreigingsrapport

CISA SSVC

Exploitatienone
Automatiseerbaaryes
Technische Impactpartial

CVSS-vector

DREIGINGSINFORMATIE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N5.3MEDIUMAttack VectorNetworkHoe de aanvaller het doel bereiktAttack ComplexityLowVereiste omstandigheden om te exploiterenPrivileges RequiredNoneVereist authenticatieniveau voor aanvalUser InteractionNoneOf het slachtoffer actie moet ondernemenScopeUnchangedImpact buiten het getroffen onderdeelConfidentialityLowRisico op blootstelling van gevoelige dataIntegrityNoneRisico op ongeautoriseerde gegevenswijzigingAvailabilityNoneRisico op verstoring van dienstennextguardhq.com · CVSS v3.1 Basisscore
Wat betekenen deze metrics?
Attack Vector
Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
Attack Complexity
Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
Privileges Required
Geen — geen authenticatie vereist om te exploiteren.
User Interaction
Geen — automatische en stille aanval. Slachtoffer doet niets.
Scope
Ongewijzigd — impact beperkt tot het kwetsbare component.
Confidentiality
Laag — gedeeltelijke toegang tot enkele gegevens.
Integrity
Geen — geen integriteitsimpact.
Availability
Geen — geen beschikbaarheidsimpact.

Getroffen Software

Componentbroadstreet
Leverancierwordfence
Maximumversie1.53.1
Opgelost in1.53.2

Zwakheidsclassificatie (CWE)

CWE-200

Tijdlijn

  1. Gereserveerd
  2. Gepubliceerd
  3. Gewijzigd

Mitigatie en Workaroundswordt vertaald…

The primary mitigation for CVE-2025-9987 is to upgrade the Broadstreet WordPress plugin to version 1.53.2 or later. If upgrading is not immediately feasible, consider temporarily restricting access to the getsponsoredmeta() AJAX action using a WordPress firewall (WAF) or security plugin. Specifically, block requests to this endpoint from users with subscriber or lower roles. Monitor WordPress logs for unusual activity related to the getsponsoredmeta() action. After upgrading, verify the fix by attempting to access password-protected content through the plugin's AJAX endpoint with a subscriber-level user account; access should be denied.

Hoe te verhelpen

Update naar versie 1.53.2, of een nieuwere gepatchte versie

Veelgestelde vragenwordt vertaald…

What is CVE-2025-9987 — Information Disclosure in Broadstreet WordPress Plugin?

CVE-2025-9987 is a Medium severity vulnerability in the Broadstreet WordPress plugin allowing authenticated attackers to extract sensitive business details from password-protected content. It affects versions 1.0.0–1.53.1.

Am I affected by CVE-2025-9987 in Broadstreet WordPress Plugin?

You are affected if your WordPress website uses the Broadstreet plugin and is running version 1.0.0 through 1.53.1. Ensure you upgrade to mitigate the risk.

How do I fix CVE-2025-9987 in Broadstreet WordPress Plugin?

Upgrade the Broadstreet WordPress plugin to version 1.53.2 or later. As a temporary workaround, restrict access to the getsponsoredmeta() AJAX action.

Is CVE-2025-9987 being actively exploited?

As of 2026-05-13, there are no publicly known active exploitation campaigns targeting CVE-2025-9987, but continued monitoring is advised.

Where can I find the official Broadstreet advisory for CVE-2025-9987?

Refer to the official Broadstreet plugin website or WordPress plugin repository for the latest advisory and update information regarding CVE-2025-9987.

Is jouw project getroffen?

Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.

Gratis scannenCVEs zoeken
WordPress

Detecteer deze CVE in je project

Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.

Gratis scannen
livefree scan

Scan nu uw WordPress project — geen account

Upload een manifest (composer.lock, package-lock.json, WordPress pluginlijst…) of plak uw componentenlijst. U ontvangt direct een kwetsbaarheidsrapport. Een bestand uploaden is slechts het begin: met een account krijgt u continue monitoring, Slack/e-mail alerts, multi-project en white-label rapporten.

Manual scanSlack/email alertsscanZone.capMonitorWhite-label reports

Sleep uw afhankelijkheidsbestand hierheen

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...