CVE-2025-13528 identifies a missing authorization vulnerability (CWE-862) in the 'Feedback Modal for Website' WordPress plugin developed by nedwp. The vulnerability exists in all versions up to and including 1.0.1, where the 'handle_export' function lacks a capability check to verify if the user is authorized to export feedback data. This omission allows unauthenticated attackers to invoke the export functionality remotely by supplying the 'export_data' parameter, resulting in the export of all feedback data collected by the plugin in either CSV or JSON format. The vulnerability is remotely exploitable without any authentication or user interaction, making it accessible to any attacker who can reach the affected WordPress site. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the low complexity of attack and the confidentiality impact due to unauthorized data disclosure. The vulnerability does not impact data integrity or availability. No patches or official fixes are currently available, and no known exploits have been reported in the wild. The plugin is typically used to collect user feedback on websites, which may contain sensitive or personally identifiable information, increasing the risk of privacy violations if exploited.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of user feedback data, which may include sensitive personal information subject to GDPR protections. Exposure of such data can lead to privacy breaches, reputational damage, and potential regulatory penalties under European data protection laws. Organizations relying on the 'Feedback Modal for Website' plugin for customer or user feedback are at risk of data leakage without any authentication barrier. Although the vulnerability does not allow data modification or service disruption, the confidentiality breach alone can have significant consequences, especially for sectors handling sensitive user data such as healthcare, finance, and public services. The ease of exploitation and lack of authentication requirements increase the likelihood of opportunistic attacks targeting vulnerable WordPress sites across Europe.

Until an official patch is released, European organizations should implement immediate compensating controls. These include restricting access to the export functionality by implementing web application firewall (WAF) rules that block or monitor requests containing the 'export_data' parameter from unauthenticated sources. Administrators should audit and limit plugin usage to trusted personnel only and consider disabling or removing the plugin if feedback export is not essential. Monitoring web server logs for unusual export attempts can help detect exploitation attempts early. Organizations should subscribe to vendor and security advisories for updates and apply patches promptly once available. Additionally, reviewing and minimizing the amount of sensitive data collected via the plugin can reduce potential exposure. Employing network segmentation and access controls to limit external access to WordPress administration endpoints can further reduce risk.