CVE-2025-9987 Overview
CVE-2025-9987 is a sensitive information exposure vulnerability in the Broadstreet plugin for WordPress. The flaw affects all versions up to and including 1.53.1. The issue resides in the get_sponsored_meta() AJAX action, which fails to enforce adequate access controls on returned data. Authenticated users with subscriber-level access or higher can invoke the action to retrieve data from password-protected and private business records. The vulnerability is categorized under [CWE-200] (Exposure of Sensitive Information to an Unauthorized Actor).
Critical Impact
Authenticated subscribers can extract restricted business metadata, including details from password-protected and private posts, without elevated privileges.
Affected Products
- Broadstreet plugin for WordPress versions up to and including 1.53.1
- WordPress installations with subscriber registration enabled
- Sites relying on Broadstreet password-protected or private business listings
Discovery Timeline
- 2026-05-13 - CVE-2025-9987 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2025-9987
Vulnerability Analysis
The Broadstreet plugin exposes the get_sponsored_meta() function through a WordPress AJAX endpoint. The handler returns metadata about sponsored or business entries without verifying whether the requesting user has permission to view records flagged as private or password-protected. WordPress treats subscriber accounts as the lowest authenticated tier, making the attack surface broad on any site that allows open registration. The attacker only needs valid session cookies and the ability to issue an authenticated POST request to admin-ajax.php.
Root Cause
The root cause is missing authorization within the AJAX handler. The function checks that a user is logged in but does not call current_user_can() against an appropriate capability, nor does it filter results by the visibility state of the underlying post. As a result, the response payload includes fields that should be gated behind password verification or post-level access checks. This is a classic broken access control pattern in WordPress plugins that combine wp_ajax_ hooks with sensitive read operations.
Attack Vector
The attack is remote and network-based. An attacker registers or logs in as a subscriber, then sends a crafted POST request to the get_sponsored_meta AJAX action. The server responds with metadata that should remain confidential. No user interaction is required beyond the authenticated request, and exploitation requires no elevated privileges. The Wordfence advisory documents the request structure and the fields returned by the vulnerable handler.
No public proof-of-concept exploit is referenced in the advisory data. See the Wordfence Vulnerability Analysis for technical details on the request and response patterns.
Detection Methods for CVE-2025-9987
Indicators of Compromise
- Unexpected authenticated POST requests to /wp-admin/admin-ajax.php carrying the parameter action=get_sponsored_meta.
- Subscriber accounts generating high volumes of AJAX traffic that they would not normally produce.
- New subscriber registrations followed shortly by repeated calls to Broadstreet AJAX endpoints.
Detection Strategies
- Review web server and WordPress access logs for admin-ajax.php calls referencing get_sponsored_meta from low-privilege accounts.
- Correlate authentication events with AJAX activity to flag accounts that read business metadata without ever visiting standard subscriber pages.
- Compare installed Broadstreet plugin version against 1.53.1 and earlier across managed WordPress estates.
Monitoring Recommendations
- Alert on bursts of get_sponsored_meta requests originating from a single IP or session.
- Track creation of new subscriber accounts followed by sensitive data retrieval within short time windows.
- Forward WordPress audit logs to a central analytics platform for retention and cross-site correlation.
How to Mitigate CVE-2025-9987
Immediate Actions Required
- Update the Broadstreet plugin to a version newer than 1.53.1 as soon as the vendor releases a fix.
- Audit existing subscriber accounts and remove unrecognized or stale registrations.
- Review which business records were configured as private or password-protected and assume their metadata may have been exposed.
Patch Information
The code change addressing this vulnerability is recorded in WordPress Changeset 3524817. Site administrators should upgrade to the fixed release distributed through the WordPress plugin repository. Verify the installed version after upgrade through the WordPress admin Plugins screen.
Workarounds
- Disable open user registration on affected WordPress sites until the patched plugin version is deployed.
- Temporarily deactivate the Broadstreet plugin if private business metadata must remain confidential and patching is delayed.
- Restrict access to /wp-admin/admin-ajax.php for the get_sponsored_meta action using a web application firewall rule.
# Example WAF rule fragment to block the vulnerable AJAX action
# Drop authenticated POSTs targeting the vulnerable handler
SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" \
"chain,deny,status:403,id:1009987,msg:'Block Broadstreet get_sponsored_meta CVE-2025-9987'"
SecRule ARGS:action "@streq get_sponsored_meta" "t:lowercase"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
