CVE-2025-13528 is a vulnerability classified under CWE-862 (Missing Authorization) found in the 'Feedback Modal for Website' WordPress plugin developed by nedwp. The issue resides in the 'handle_export' function, which lacks proper capability checks to verify if a user is authorized to export feedback data. This omission allows unauthenticated attackers to remotely invoke the export functionality by supplying the 'export_data' parameter, resulting in the export of all feedback data collected by the plugin in either CSV or JSON format. Since the vulnerability does not require authentication or user interaction, it can be exploited easily by any remote attacker scanning for vulnerable sites. The CVSS 3.1 base score is 5.3 (medium), reflecting the network attack vector, low complexity, no privileges required, no user interaction, and limited impact confined to confidentiality loss. The vulnerability does not affect data integrity or availability. No patches or fixes have been published at the time of disclosure, and no known exploits have been observed in the wild. The plugin is used on WordPress sites, which are widely deployed across various industries, including e-commerce, corporate websites, and public sector portals. The exposure of feedback data could lead to privacy violations, reputational damage, and potential compliance issues under data protection regulations such as GDPR. The vulnerability highlights the importance of implementing strict authorization checks on all sensitive operations within web applications and plugins.

For European organizations, this vulnerability primarily threatens the confidentiality of user-submitted feedback data, which may include personally identifiable information or sensitive opinions. Unauthorized data export could lead to privacy breaches, undermining user trust and potentially resulting in regulatory penalties under GDPR. Although the vulnerability does not impact system integrity or availability, the exposure of feedback data can have reputational consequences and may facilitate further targeted attacks if sensitive information is disclosed. Organizations relying on the affected plugin for customer interaction or feedback collection risk data leakage without any authentication barrier. The ease of exploitation means attackers can quickly harvest data from multiple vulnerable sites, increasing the scale of impact. Public sector entities, e-commerce platforms, and service providers using this plugin are particularly at risk, as they often handle sensitive user data and are subject to strict compliance requirements.

1. Immediately restrict access to the export functionality by implementing server-side access controls, such as IP whitelisting or authentication requirements, until an official patch is available. 2. Modify the plugin code to add proper capability checks in the 'handle_export' function, ensuring only authorized users (e.g., administrators) can perform data exports. 3. Monitor web server logs and WordPress access logs for unusual or repeated requests containing the 'export_data' parameter, which may indicate exploitation attempts. 4. Disable or uninstall the 'Feedback Modal for Website' plugin if it is not essential to reduce the attack surface. 5. Regularly update WordPress and all plugins to their latest versions once patches addressing this vulnerability are released. 6. Conduct a data audit to identify what feedback data has been collected and assess potential exposure. 7. Inform users and stakeholders if a data breach is suspected, in compliance with GDPR notification requirements. 8. Employ web application firewalls (WAFs) with custom rules to block unauthorized export attempts targeting this vulnerability.