{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7368", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-08T19:16:31.343Z", "datePublished": "2025-09-06T01:45:17.560Z", "dateUpdated": "2026-04-08T16:56:18.331Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:56:18.331Z"}, "affected": [{"vendor": "sizam", "product": "REHub - Price Comparison, Multi Vendor Marketplace Wordpress Theme", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "19.9.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The REHub - Price Comparison, Multi Vendor Marketplace Wordpress Theme theme for WordPress is vulnerable to Information Exposure in all versions up to, and including, 19.9.7 via the 'ajax_action_re_getfullcontent' function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected posts that they should not have access to."}], "title": "Rehub <= 19.9.7 - Unauthenticated Password Protected Post Disclosure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5f24313e-c246-44f8-b144-d95c55e71456?source=cve"}, {"url": "https://themeforest.net/item/rehub-directory-multi-vendor-shop-coupon-affiliate-theme/7646339#item-description__19-9-8-15-augl-2025"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "timeline": [{"time": "2025-07-22T17:24:25.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-05T13:04:32.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-08T13:58:13.024303Z", "id": "CVE-2025-7368", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-08T14:05:52.519Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7368", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-08T13:58:13.024303Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-08T13:58:15.297Z"}}], "cna": {"title": "Rehub <= 19.9.7 - Unauthenticated Password Protected Post Disclosure", "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "sizam", "product": "REHub - Price Comparison, Multi Vendor Marketplace Wordpress Theme", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "19.9.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-22T17:24:25.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-05T13:04:32.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5f24313e-c246-44f8-b144-d95c55e71456?source=cve"}, {"url": "https://themeforest.net/item/rehub-directory-multi-vendor-shop-coupon-affiliate-theme/7646339#item-description__19-9-8-15-augl-2025"}], "descriptions": [{"lang": "en", "value": "The REHub - Price Comparison, Multi Vendor Marketplace Wordpress Theme theme for WordPress is vulnerable to Information Exposure in all versions up to, and including, 19.9.7 via the 'ajax_action_re_getfullcontent' function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected posts that they should not have access to."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:56:18.331Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7368", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:56:18.331Z", "dateReserved": "2025-07-08T19:16:31.343Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-06T01:45:17.560Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The REHub - Price Comparison, Multi Vendor Marketplace Wordpress Theme theme for WordPress is vulnerable to Information Exposure in all versions up to, and including, 19.9.7 via the 'ajax_action_re_getfullcontent' function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected posts that they should not have access to."}], "id": "CVE-2025-7368", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-06T02:15:30.560", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/rehub-directory-multi-vendor-shop-coupon-affiliate-theme/7646339#item-description__19-9-8-15-augl-2025"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5f24313e-c246-44f8-b144-d95c55e71456?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:15:37.428016+00:00", "value": {"mitigation_remediation": ["Upgrade the REHub theme to version 19.9.8 or later, which contains the fix for the access control issue.", "Verify that the ajax_action_re_getfullcontent endpoint only returns posts for which the requester has proper permissions, ensuring that password\u2011protected posts are no longer exposed to unauthenticated users.", "As a short\u2011term workaround, block or restrict access to the endpoint on the web server (e.g., via .htaccess or nginx rules) or configure the theme to disable the endpoint for password\u2011protected posts until a patch is available."], "summary": {"action": "Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of the REHub \u2013 Price Comparison, Multi Vendor Marketplace WordPress Theme up to and including version 19.9.7, released by sizam. Users who have installed any of these versions on their WordPress sites are potentially impacted.", "description_and_impact": "The REHub theme for WordPress allows an unauthenticated attacker to retrieve the full content of password-protected posts through the ajax_action_re_getfullcontent endpoint. Because the endpoint does not sufficiently restrict which posts are returned, an attacker can read content they should not have access to, resulting in the unauthorized disclosure of private or sensitive information.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate impact, and the EPSS score of < 1% shows that the likelihood of exploitation is currently very low. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an unauthenticated web request to the exposed AJAX action; an attacker does not need prior authentication or special privileges to trigger the information leak."}}}}, "created": "2026-04-21T03:30:26.326576+00:00", "updated": "2026-04-21T03:30:26.326599+00:00", "vendors": []}