CVE-2025-13528 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Feedback Modal for Website plugin for WordPress, developed by nedwp. The issue arises because the 'handle_export' function lacks a proper capability check, which is a critical authorization control that should restrict access to authorized users only. As a result, any unauthenticated attacker can invoke this function remotely by sending a specially crafted request containing the 'export_data' parameter. This triggers the export of all feedback data collected by the plugin in either CSV or JSON format, exposing potentially sensitive user feedback information. The vulnerability affects all versions up to and including 1.0.1, with no patches currently available. The CVSS 3.1 base score is 5.3, reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality only (C:L), without affecting integrity or availability. The scope remains unchanged (S:U), meaning the exploit affects only the vulnerable component. No known exploits have been reported in the wild, but the vulnerability poses a significant privacy risk for websites using this plugin. The lack of authorization checks is a common security oversight that can lead to unauthorized data disclosure, potentially violating privacy regulations and damaging organizational reputation.

The primary impact of this vulnerability is the unauthorized disclosure of feedback data collected via the plugin. This can lead to leakage of sensitive user opinions, contact information, or other personal data submitted through feedback forms. Organizations may face privacy compliance issues, reputational damage, and loss of customer trust if such data is exposed. Since the vulnerability does not affect data integrity or availability, it does not enable data manipulation or denial of service. However, the ease of exploitation without authentication and user interaction means attackers can quickly harvest data from vulnerable sites at scale. This risk is particularly acute for organizations relying on the plugin to collect customer feedback, surveys, or other sensitive inputs. The absence of known exploits in the wild suggests limited current exploitation, but the vulnerability's public disclosure increases the likelihood of future attacks. Overall, the impact is moderate but significant enough to warrant prompt mitigation.

1. Immediately audit all WordPress sites to identify installations of the Feedback Modal for Website plugin, especially versions up to 1.0.1. 2. Disable or remove the plugin temporarily if an update or patch is not available to prevent exploitation. 3. Monitor web server logs for suspicious requests containing the 'export_data' parameter to detect potential exploitation attempts. 4. Implement web application firewall (WAF) rules to block unauthorized access to the export functionality or restrict access to trusted IP addresses. 5. If possible, apply custom code patches to add proper capability checks in the 'handle_export' function, ensuring only authorized users can export data. 6. Educate site administrators on the importance of plugin updates and the risks of missing authorization controls. 7. Once a vendor patch is released, prioritize updating the plugin to the fixed version. 8. Review and enhance overall WordPress site security posture, including principle of least privilege for user roles and regular security audits. These steps go beyond generic advice by focusing on immediate risk reduction through detection, access control, and temporary disabling until a vendor fix is available.