The vulnerability identified as CVE-2025-13136 affects the GSheetConnector For Ninja Forms plugin for WordPress, specifically all versions up to and including 2.0.1. The root cause is a missing authorization check (CWE-862) on the 'njform-google-sheet-config' administrative page, which allows any authenticated user with at least Subscriber-level privileges to access configuration data that should be restricted. This page is intended to be accessed only by users with higher privileges, such as administrators. Because WordPress often grants Subscriber roles to registered users with minimal permissions, this vulnerability effectively escalates access to sensitive plugin configuration information without requiring elevated privileges. The vulnerability is remotely exploitable over the network without user interaction, and it does not require any additional authentication beyond the Subscriber-level login. The disclosed CVSS v3.1 score of 4.3 reflects a medium severity, primarily due to the limited confidentiality impact and lack of integrity or availability consequences. No public exploits have been reported yet, but the vulnerability could be leveraged for reconnaissance or further attacks if combined with other weaknesses. The absence of a patch link suggests that a fix may not yet be available, emphasizing the need for interim mitigations.

The primary impact of this vulnerability is unauthorized disclosure of potentially sensitive configuration data related to the GSheetConnector plugin. While it does not allow modification or deletion of data, the information obtained could aid attackers in mapping the target environment or planning further attacks. Organizations using this plugin on WordPress sites are at risk of information leakage, which could compromise confidentiality. Since Subscriber-level accounts are commonly assigned to registered users or contributors, the attack surface is relatively broad within affected sites. This could be exploited in multi-user environments such as membership sites, forums, or intranets. Although the vulnerability does not directly affect system integrity or availability, the information disclosure could facilitate social engineering, privilege escalation, or targeted attacks. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent future exploitation.

Organizations should immediately audit user roles and permissions to ensure that Subscriber-level accounts are assigned only to trusted users. Restrict access to the 'njform-google-sheet-config' page by implementing custom capability checks or using WordPress security plugins that enforce stricter access controls. Monitor access logs for unusual activity involving this page. If possible, temporarily disable or remove the GSheetConnector For Ninja Forms plugin until an official patch is released. Engage with the plugin vendor or community to obtain updates or patches addressing this vulnerability. Implement web application firewalls (WAFs) with rules to detect and block unauthorized access attempts to the affected page. Conduct regular security assessments of WordPress plugins to identify and remediate similar authorization issues. Educate site administrators about the risks of assigning unnecessary privileges to users and the importance of plugin security hygiene.