Vulnerabilities ›

CVE-2025-9987

Medium

CWE-200 — Weakness Type

                    Published: May 13, 2026                      ·  Modified: May 16, 2026                      ·  Source: NVD                

CVSS v3

5.3

🔗 NVD Official

📄 Description (English)

The Broadstreet plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.53.1 via the get_sponsored_meta() AJAX action. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract data from password protected and private business details.

🤖 AI Executive Summary

The Broadstreet WordPress plugin (versions ≤1.53.1) contains a sensitive information exposure vulnerability in its AJAX get_sponsored_meta() function, allowing authenticated subscribers to access password-protected and private business data. With a CVSS score of 5.3 and no available patch, this vulnerability poses a moderate risk to WordPress-based business directories and local business platforms operating in Saudi Arabia. The lack of exploit availability provides a limited window for remediation before potential weaponization.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 30, 2026 00:20

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations operating WordPress-based business directories, local commerce platforms, and B2B marketplaces are at highest risk. Affected sectors include: (1) E-commerce and retail platforms listing business details; (2) Government digital transformation initiatives using WordPress for business registries; (3) Chamber of Commerce and business association websites; (4) Real estate and property listing platforms; (5) Tourism and hospitality business directories. The vulnerability allows unauthorized access to confidential business information, competitive data, and private contact details, potentially violating SAMA data protection requirements for financial service providers and NCA cybersecurity standards for critical information assets.

🏢 Affected Saudi Sectors

E-commerce and Retail Government Digital Services Business Directories and Registries Real Estate and Property Tourism and Hospitality Chamber of Commerce B2B Marketplaces Local Business Platforms

🎯 MITRE ATT&CK Techniques

⚖️ Saudi Risk Score (AI)

6.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Audit all WordPress installations using Broadstreet plugin versions ≤1.53.1 across your organization

2. Review access logs for suspicious AJAX requests to get_sponsored_meta() endpoint (check wp-admin/admin-ajax.php?action=get_sponsored_meta)

3. Disable the Broadstreet plugin immediately if not actively used; deactivate and remove from production

4. Restrict subscriber-level access to only trusted users; audit current subscriber accounts for unauthorized additions

COMPENSATING CONTROLS (until patch available):

5. Implement Web Application Firewall (WAF) rules to block AJAX requests to get_sponsored_meta() action

6. Add authentication middleware requiring additional verification for sensitive business data endpoints

7. Apply WordPress security hardening: disable REST API if unused, implement rate limiting on AJAX endpoints

8. Use WordPress security plugins (Wordfence, Sucuri) to monitor and block suspicious AJAX activity

DETECTION RULES:

9. Monitor wp-admin/admin-ajax.php logs for: action=get_sponsored_meta requests from subscriber+ accounts

10. Alert on multiple sequential get_sponsored_meta requests from single IP/user within short timeframe

11. Track database queries accessing password-protected post metadata from AJAX handlers

12. Implement SIEM rules: detect subscriber accounts accessing business metadata outside normal business hours

LONG-TERM:

13. Contact Broadstreet developers for patch timeline; consider alternative plugins if no update within 30 days

14. Implement principle of least privilege for WordPress user roles

15. Conduct security code review of custom AJAX handlers in your WordPress environment

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تدقيق جميع تثبيتات WordPress التي تستخدم مكون Broadstreet بإصدارات ≤1.53.1 عبر مؤسستك

2. مراجعة سجلات الوصول للطلبات المريبة من AJAX إلى نقطة نهاية get_sponsored_meta() (تحقق من wp-admin/admin-ajax.php?action=get_sponsored_meta)

3. تعطيل مكون Broadstreet فوراً إذا لم يكن قيد الاستخدام النشط؛ إلغاء التفعيل والإزالة من الإنتاج

4. تقييد وصول المشتركين إلى المستخدمين الموثوقين فقط؛ تدقيق حسابات المشتركين الحالية للإضافات غير المصرح بها

الضوابط البديلة (حتى توفر التصحيح):

5. تنفيذ قواعد جدار الحماية (WAF) لحجب طلبات AJAX إلى إجراء get_sponsored_meta()

6. إضافة طبقة مصادقة وسيطة تتطلب التحقق الإضافي لنقاط نهاية بيانات الأعمال الحساسة

7. تطبيق تقسية أمان WordPress: تعطيل REST API إذا لم يكن قيد الاستخدام، تنفيذ تحديد معدل على نقاط نهاية AJAX

8. استخدام مكونات أمان WordPress (Wordfence, Sucuri) لمراقبة وحجب نشاط AJAX المريب

قواعد الكشف:

9. مراقبة سجلات wp-admin/admin-ajax.php للبحث عن: طلبات action=get_sponsored_meta من حسابات المشتركين+

10. تنبيه على طلبات get_sponsored_meta متتالية متعددة من عنوان IP/مستخدم واحد في إطار زمني قصير

11. تتبع استعلامات قاعدة البيانات التي تصل إلى بيانات وصفية محمية بكلمة مرور من معالجات AJAX

12. تنفيذ قواعد SIEM: كشف حسابات المشتركين التي تصل إلى بيانات الأعمال خارج ساعات العمل العادية

المدى الطويل:

13. الاتصال بمطوري Broadstreet للحصول على جدول زمني للتصحيح؛ النظر في مكونات بديلة إذا لم يكن هناك تحديث خلال 30 يوماً

14. تنفيذ مبدأ أقل امتياز لأدوار مستخدمي WordPress

15. إجراء مراجعة أمان الكود للمعالجات المخصصة AJAX في بيئة WordPress الخاصة بك

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Information Classification and Handling ECC 2024 A.5.2.1 - Access Control and User Management ECC 2024 A.5.3.1 - Cryptography and Data Protection ECC 2024 A.6.1.1 - Vulnerability Management ECC 2024 A.6.2.1 - Security Monitoring and Incident Response

🔵 SAMA CSF

SAMA CSF ID.AM-2 - Software and Hardware Inventory SAMA CSF PR.AC-1 - Access Control and Authentication SAMA CSF PR.DS-1 - Data Security and Privacy SAMA CSF DE.CM-1 - Detection and Monitoring SAMA CSF RS.MI-1 - Incident Response and Mitigation

🟡 ISO 27001:2022

ISO 27001:2022 A.5.1 - Policies for Information Security ISO 27001:2022 A.5.2 - Information Security Roles and Responsibilities ISO 27001:2022 A.6.1 - Screening and Vetting ISO 27001:2022 A.8.1 - User Endpoint Devices ISO 27001:2022 A.8.2 - Privileged Access Rights ISO 27001:2022 A.8.3 - Information Access Restriction ISO 27001:2022 A.12.6 - Management of Technical Vulnerabilities

🟣 PCI DSS v4.0.1

PCI DSS 1.1 - Firewall Configuration Standards PCI DSS 2.1 - Default Passwords and Security Parameters PCI DSS 6.2 - Security Patches and Updates PCI DSS 7.1 - Access Control Implementation PCI DSS 10.2 - User Access Logging and Monitoring

🔗 References & Sources 2

🔗

https://plugins.trac.wordpress.org/changeset/3524817

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/b3cc3835-25f5-43b3-82be-397b8...

security@wordfence.com

📊 CVSS Score

5.3

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityN — None / Network

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score5.3

CWECWE-200

EPSS0.04%

Exploit No

Patch ✗ No

Published 2026-05-13

Source Feed nvd

🇸🇦 Saudi Risk Score

6.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-200

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2025-9987

Introduce Yourself

Sign In Required