The Chamber Dashboard Business Directory plugin for WordPress, developed by gwendydd, suffers from a missing authorization vulnerability identified as CVE-2025-13414. The root cause is the absence of a capability check in the cdash_watch_for_export() function, which handles exporting business directory data. This flaw exists in all versions up to and including 3.3.11. Because the function does not verify whether the requester has appropriate permissions, unauthenticated attackers can invoke it remotely to export sensitive business information stored in the directory. The vulnerability is classified under CWE-862 (Missing Authorization) and has a CVSS v3.1 base score of 5.3, reflecting a medium severity level. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality (C:L) but not integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. This vulnerability exposes sensitive business data, potentially including contact details, business descriptions, and other proprietary information, which could be leveraged for competitive intelligence, phishing, or other malicious activities.

The primary impact of CVE-2025-13414 is the unauthorized disclosure of sensitive business directory information. Organizations using the vulnerable plugin risk exposure of confidential business data to unauthenticated attackers, which can lead to privacy violations, reputational damage, and potential regulatory compliance issues depending on jurisdiction. Although the vulnerability does not allow modification or deletion of data, the confidentiality breach alone can facilitate targeted phishing campaigns, social engineering, or competitive intelligence gathering. Small and medium-sized businesses listed in the directory are particularly vulnerable, as their information may be less protected elsewhere. The ease of exploitation—requiring no authentication or user interaction—means attackers can automate data harvesting at scale. This could result in large-scale data leaks affecting multiple organizations using the plugin worldwide.

To mitigate this vulnerability, organizations should immediately verify if they are running any version of the Chamber Dashboard Business Directory plugin up to 3.3.11 and plan to upgrade to a patched version once available. In the absence of an official patch, administrators should implement strict access controls at the web server or application firewall level to restrict access to the export functionality, ensuring only authorized users can invoke it. Reviewing and hardening WordPress user roles and capabilities related to the plugin can reduce risk. Additionally, monitoring web server logs for unusual export requests or spikes in data export activity can help detect exploitation attempts. If feasible, temporarily disabling the export feature until a fix is released is advisable. Organizations should also educate their staff about the risks of data exposure and consider encrypting sensitive business information stored in the directory to limit the impact of unauthorized exports.