[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQk65_Ki7w92I5RkHcnxkZvH3x0qVjLmcLrgt2sDTjkc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":9,"research_fix_diff":30,"research_exploit_outline":31,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":35},"CVE-2025-9987","broadstreet-authenticated-subscriber-information-disclosure","Broadstreet \u003C= 1.53.1 - Authenticated (Subscriber+) Information Disclosure","The Broadstreet plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.53.1 via the get_sponsored_meta() AJAX action. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract data from password protected and private business details.","broadstreet",null,"\u003C=1.53.1","1.53.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-05-12 15:29:58","2026-05-13 04:26:45",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb3cc3835-25f5-43b3-82be-397b8b3bd369?source=api-prod",1,[22,23,24],"Broadstreet\u002FConfig.php","broadstreet.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2025-9987 - Broadstreet Information Disclosure\n\n## 1. Vulnerability Summary\nThe Broadstreet plugin (\u003C= 1.53.1) contains an information disclosure vulnerability in its AJAX handling logic. Specifically, the `get_sponsored_meta()` AJAX action (registered via `wp_ajax_get_sponsored_meta` and potentially `wp_ajax_nopriv_get_sponsored_meta`) fails to perform adequate authorization or visibility checks. This allows authenticated users (with Subscriber-level permissions or higher) to retrieve post metadata from posts that should be restricted, such as private posts or password-protected posts containing sensitive business details.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `get_sponsored_meta`\n- **Parameters:**\n  - `action`: `get_sponsored_meta`\n  - `post_id` (or `id`): The ID of the target post (inferred).\n  - `_wpnonce`: (Likely required if registered via standard WordPress AJAX patterns).\n- **Authentication:** Subscriber-level access is required according to the description (CVSS suggests PR:N, so unauthenticated access should also be tested).\n- **Preconditions:** A post exists that is either \"Private\" or \"Password Protected\" and contains metadata (custom fields).\n\n## 3. Code Flow\n*Note: `Broadstreet\u002FCore.php` was not provided in the source snippet, but the vulnerability is tied to the `get_sponsored_meta` action registered in the plugin's initialization.*\n\n1. **Initialization:** The plugin initializes `Broadstreet_Core` in `broadstreet.php`.\n2. **Hook Registration:** `Broadstreet_Core` (likely in a `_register_ajax` or `init` method) registers the hook:\n   `add_action('wp_ajax_get_sponsored_meta', array($this, 'get_sponsored_meta'));`\n3. **Execution:** When the AJAX action is called:\n   - The handler retrieves a `post_id` from `$_POST` or `$_GET`.\n   - It calls `get_post_meta($post_id)` or a similar function to fetch data.\n   - **Vulnerability:** It fails to check if the current user has permission to read the post (e.g., via `current_user_can('read_post', $post_id)`) or if the post is password protected (`post_password_required($post_id)`).\n4. **Sink:** The metadata is returned as a JSON response to the unauthorized requester.\n\n## 4. Nonce Acquisition Strategy\nTo find the nonce and the correct variable names, we will use the `browser_eval` tool.\n\n1. **Identify Script Localization:** The plugin likely uses `wp_localize_script` to pass a nonce to the frontend.\n2. **Search Strategy:**\n   - Use `grep -r \"wp_create_nonce\" .` to find the action string used for the `get_sponsored_meta` nonce.\n   - Use `grep -r \"wp_localize_script\" .` to find the JavaScript object name.\n3. **Common Patterns for Broadstreet:**\n   - Potential JS object: `Broadstreet` or `broadstreet_ajax`.\n   - Potential nonce key: `nonce`.\n4. **Execution Steps:**\n   - Create a page containing a Broadstreet widget or shortcode (e.g., `[broadstreet_zone]`) if one exists, to ensure the script is loaded.\n   - Navigate to that page.\n   - Run: `browser_eval(\"window.Broadstreet?.nonce\")` (inferred) or inspect the page source for `wp-admin\u002Fadmin-ajax.php` references.\n\n## 5. Exploitation Strategy\n\n### Step 1: Target Identification\nFind a Post ID for a private or password-protected post. We will create one for testing.\n\n### Step 2: Information Extraction\nSend an authenticated POST request to the AJAX endpoint.\n\n**Request Template:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:** `action=get_sponsored_meta&post_id=[TARGET_ID]&_wpnonce=[NONCE]`\n\n### Step 3: Payload Probing\nSince the exact parameter name for the post ID is inferred:\n1. Try `post_id`.\n2. Try `id`.\n3. Try `postID`.\n\n## 6. Test Data Setup\n1. **Create Administrator User:** To set up the sensitive data.\n2. **Create Subscriber User:** To act as the attacker.\n3. **Create Protected Content:**\n   - Create a new post.\n   - Set status to `private` or set a password.\n   - Add sensitive custom fields (metadata) using WP-CLI:\n     `wp post meta add [ID] secret_business_key \"Confidential Information\"`\n     `wp post meta add [ID] bs_sponsored_data \"Hidden Revenue Stats\"`\n\n## 7. Expected Results\n- A successful exploit will return a `200 OK` status and a JSON body containing the metadata of the protected post.\n- Example response: `{\"success\": true, \"data\": {\"secret_business_key\": \"Confidential Information\", \"bs_sponsored_data\": \"Hidden Revenue Stats\"}}`\n\n## 8. Verification Steps\n1. **WP-CLI Check:** Verify the metadata exists on the post:\n   `wp post meta list [ID]`\n2. **Permission Check:** Confirm the Subscriber user *cannot* see the post content normally:\n   `browser_navigate` to the post URL while logged in as Subscriber and verify a 404 or \"Post not found\" message.\n3. **Comparison:** Compare the data returned by the AJAX request with the data retrieved via WP-CLI.\n\n## 9. Alternative Approaches\n- **Unauthenticated Check:** Test if `wp_ajax_nopriv_get_sponsored_meta` is registered. If so, attempt the request without the Subscriber cookies.\n- **Bulk Extraction:** If the `post_id` parameter is missing or can be an array, try to extract metadata for multiple posts at once.\n- **Parameter Mining:** If `post_id` fails, use `grep` on the plugin directory to find the specific variable name used in the `get_sponsored_meta` function within `Core.php`.\n  `grep -rn \"function get_sponsored_meta\" -A 10`","The Broadstreet plugin for WordPress is vulnerable to unauthorized information disclosure via the `get_sponsored_meta` AJAX action. This flaw allows authenticated attackers with Subscriber-level permissions to retrieve post metadata from private or password-protected posts, as the plugin fails to perform proper authorization or visibility checks on the requested post ID.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.1\u002FBroadstreet\u002FConfig.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.2\u002FBroadstreet\u002FConfig.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.1\u002FBroadstreet\u002FConfig.php\t2026-05-06 11:03:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.2\u002FBroadstreet\u002FConfig.php\t2026-05-06 11:03:36.000000000 +0000\n@@ -140,4 +140,4 @@\n     }\n }\n \n-define('BROADSTREET_VERSION', '1.53.1');\n+define('BROADSTREET_VERSION', '1.53.2');\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.1\u002Fbroadstreet.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.2\u002Fbroadstreet.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.1\u002Fbroadstreet.php\t2026-05-06 11:03:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.2\u002Fbroadstreet.php\t2026-05-06 11:03:36.000000000 +0000\n@@ -3,7 +3,7 @@\n Plugin Name: Broadstreet\n Plugin URI: http:\u002F\u002Fbroadstreetads.com\n Description: Integrate Broadstreet business directory and adserving power into your site\n-Version: 1.53.1\n+Version: 1.53.2\n Tested up to: 6.9\n Author: Broadstreet\n Author URI: http:\u002F\u002Fbroadstreetads.com\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.1\u002Freadme.txt \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.2\u002Freadme.txt\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.1\u002Freadme.txt\t2026-05-06 11:03:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbroadstreet\u002F1.53.2\u002Freadme.txt\t2026-05-06 11:03:36.000000000 +0000\n@@ -3,7 +3,7 @@\n Tags: broadstreet,local,publishers,hyperlocal,independent,news,business,directory\n Requires at least: 3.0\n Tested up to: 6.9\n-Stable tag: 1.53.1\n+Stable tag: 1.53.2\n \n Integrate Broadstreet adserving power into your site.","To exploit this vulnerability, an attacker first authenticates as a Subscriber-level user. They must then identify the ID of a target private or password-protected post. By locating the AJAX nonce (typically provided via localized scripts in the site's frontend), the attacker sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the action parameter set to get_sponsored_meta and the target post_id. The application returns the full metadata associated with that post, bypassing access controls that should prevent visibility into restricted content.","gemini-3-flash-preview","2026-05-14 18:01:33","2026-05-14 18:02:01",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","1.53.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbroadstreet\u002Ftags\u002F1.53.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbroadstreet.1.53.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbroadstreet\u002Ftags\u002F1.53.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbroadstreet.1.53.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbroadstreet\u002Ftags"]