{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13414", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-19T14:40:22.287Z", "datePublished": "2025-11-25T07:28:19.005Z", "dateUpdated": "2026-04-08T16:37:40.128Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:40.128Z"}, "affected": [{"vendor": "gwendydd", "product": "Chamber Dashboard Business Directory", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.3.11", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Chamber Dashboard Business Directory plugin for WordPress is vulnerable to unauthorized data export due to a missing capability check on the cdash_watch_for_export() function in all versions up to, and including, 3.3.11. This makes it possible for unauthenticated attackers to export business directory information, including sensitive business details."}], "title": "Chamber Dashboard Business Directory <= 3.3.11 - Missing Authorization to Unauthenticated Business Information Export", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1896885a-a104-464a-bb57-2c3c73ff9415?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/chamber-dashboard-business-directory/trunk/options.php#L850"}, {"url": "https://plugins.trac.wordpress.org/browser/chamber-dashboard-business-directory/tags/3.3.11/options.php#L850"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2025-11-24T19:17:22.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-25T14:43:07.399509Z", "id": "CVE-2025-13414", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T14:43:27.414Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13414", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-25T14:43:07.399509Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T14:43:19.969Z"}}], "cna": {"title": "Chamber Dashboard Business Directory <= 3.3.11 - Missing Authorization to Unauthenticated Business Information Export", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "gwendydd", "product": "Chamber Dashboard Business Directory", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.3.11"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-24T19:17:22.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1896885a-a104-464a-bb57-2c3c73ff9415?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/chamber-dashboard-business-directory/trunk/options.php#L850"}, {"url": "https://plugins.trac.wordpress.org/browser/chamber-dashboard-business-directory/tags/3.3.11/options.php#L850"}], "descriptions": [{"lang": "en", "value": "The Chamber Dashboard Business Directory plugin for WordPress is vulnerable to unauthorized data export due to a missing capability check on the cdash_watch_for_export() function in all versions up to, and including, 3.3.11. This makes it possible for unauthenticated attackers to export business directory information, including sensitive business details."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:40.128Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13414", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:37:40.128Z", "dateReserved": "2025-11-19T14:40:22.287Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-25T07:28:19.005Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Chamber Dashboard Business Directory plugin for WordPress is vulnerable to unauthorized data export due to a missing capability check on the cdash_watch_for_export() function in all versions up to, and including, 3.3.11. This makes it possible for unauthenticated attackers to export business directory information, including sensitive business details."}], "id": "CVE-2025-13414", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-25T08:15:51.557", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/chamber-dashboard-business-directory/tags/3.3.11/options.php#L850"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/chamber-dashboard-business-directory/trunk/options.php#L850"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1896885a-a104-464a-bb57-2c3c73ff9415?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:33:24.093380+00:00", "value": {"mitigation_remediation": ["Update the Chamber Dashboard Business Directory plugin to version 3.3.12 or later. ", "If an update is not immediately possible, modify the cdash_watch_for_export() function to include a capability check such as current_user_can('manage_options') to restrict export access to privileged users. ", "Disable the export functionality in the plugin settings or remove the export endpoint entirely using a web\u2011application firewall or .htaccess rule to prevent unauthenticated access."], "summary": {"action": "Apply Patch", "impact": "Unauthorized export of business directory data"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of the Chamber Dashboard Business Directory plugin with versions up to and including 3.3.11 on any WordPress site that has the plugin enabled. No other vendors or products are noted.", "description_and_impact": "The Chamber Dashboard Business Directory plugin for WordPress contains a missing capability check in the cdash_watch_for_export() function, allowing anyone who can access the plugin\u2019s export endpoint to retrieve business directory information without authentication. The data may include sensitive business details, so an attacker could gain confidential information by simply triggering an export.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests that exploitation is unlikely to be widespread at present. The plug\u2011in exposes an HTTP endpoint that does not perform a capability check, making the exploit possible even from unauthenticated traffic. Because the flaw is present in all prior releases, sites running any affected version are at risk of data disclosure; the issue is not listed in CISA\u2019s KEV catalog."}}}}, "created": "2025-11-26T11:10:45.591731+00:00", "updated": "2026-04-22T16:45:21.453162+00:00", "vendors": ["gwendydd", "gwendydd$PRODUCT$chamber_dashboard_business_directory", "wordpress", "wordpress$PRODUCT$wordpress"]}