CVE-2025-3851 is a medium-severity vulnerability affecting the Download Manager and Payment Form WordPress Plugin – WP SmartPay, developed by themesgrove. The vulnerability arises from an Insecure Direct Object Reference (IDOR) issue in the plugin's show() function, which lacks proper validation of a user-controlled key parameter. This flaw allows authenticated users with Subscriber-level privileges or higher to access sensitive information belonging to other users, including email addresses, names, and notes. The affected versions range from 1.1.0 to 2.7.13, with the vulnerability specifically confirmed in version 1.1.0. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network (AV:N). The CVSS 3.1 base score is 4.3, reflecting a medium severity primarily due to the confidentiality impact without affecting integrity or availability. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). No public exploits have been reported yet, and no patches are currently linked, indicating that users should be vigilant for forthcoming updates. The issue stems from insufficient access control checks, allowing attackers to manipulate the key parameter to retrieve data of other users, violating data privacy principles and potentially exposing personally identifiable information (PII).

For European organizations, this vulnerability poses a privacy risk, especially under the stringent requirements of the GDPR, which mandates the protection of personal data such as email addresses and names. Unauthorized disclosure of user information could lead to regulatory penalties, reputational damage, and loss of customer trust. Organizations using the WP SmartPay plugin on their WordPress sites may inadvertently expose customer or employee data to other authenticated users, which could be exploited for social engineering or further attacks. While the vulnerability does not allow modification or deletion of data, the confidentiality breach alone is significant. The impact is heightened for organizations handling sensitive or regulated data, including e-commerce platforms, financial services, and healthcare providers. The medium severity score suggests the threat is notable but not critical; however, the ease of exploitation by low-privilege authenticated users increases the risk profile.

European organizations should immediately audit their WordPress installations to identify the presence and version of the WP SmartPay plugin. Until an official patch is released, administrators should consider temporarily disabling the plugin or restricting access to trusted users only. Implementing strict role-based access controls and minimizing the number of users with Subscriber-level or higher privileges can reduce exposure. Monitoring logs for unusual access patterns to the show() function or suspicious parameter usage can help detect exploitation attempts. Organizations should also ensure that WordPress and all plugins are kept up to date and subscribe to vendor or security mailing lists for timely patch notifications. Additionally, applying Web Application Firewall (WAF) rules to detect and block abnormal requests targeting the vulnerable parameter may provide interim protection. Finally, reviewing and enhancing overall data access validation within custom or third-party plugins is recommended to prevent similar issues.