CVE-2025-5920 is a high-severity vulnerability affecting the WordPress plugin 'Sharable Password Protected Posts' prior to version 1.1.1. This plugin allows users to create password-protected posts that can be shared via a secret key. The vulnerability arises because the secret key, which is intended to restrict access to authorized users only, is transmitted as a GET parameter in URLs. More critically, this secret key is exposed through the WordPress REST API, which can be accessed without authentication. This exposure constitutes a CWE-201 weakness, where sensitive information is inserted into sent data, making it accessible to unauthorized parties. The CVSS 3.1 base score of 7.5 reflects a high severity due to the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction needed (UI:N), unchanged scope (S:U), and high impact on confidentiality (C:H) but no impact on integrity or availability (I:N/A:N). Exploiting this vulnerability allows an attacker to retrieve the secret key from the REST API and gain unauthorized access to password-protected posts without needing to guess or brute-force the password. This compromises the confidentiality of sensitive content intended to be restricted. Although no known exploits are currently reported in the wild, the ease of exploitation and the nature of the information exposed make this a significant risk. The vulnerability affects all versions before 1.1.1, with the affected version listed as '0' indicating initial releases or unpatched versions. No official patches or mitigation links are provided yet, emphasizing the need for immediate attention from site administrators using this plugin.

For European organizations, especially those relying on WordPress sites with sensitive or confidential content shared via the Sharable Password Protected Posts plugin, this vulnerability poses a substantial risk to data confidentiality. Unauthorized disclosure of protected posts could lead to exposure of intellectual property, internal communications, or personal data, potentially violating GDPR and other privacy regulations. The breach of confidentiality could damage organizational reputation, lead to regulatory fines, and erode customer trust. Since the vulnerability requires no authentication or user interaction and can be exploited remotely over the network, attackers can easily automate data harvesting. This is particularly concerning for sectors such as finance, healthcare, legal, and government entities in Europe that often use password-protected posts to share sensitive information internally or with clients. The lack of impact on integrity and availability limits the threat to data leakage rather than system disruption, but the confidentiality breach alone is critical under European data protection frameworks.

European organizations should immediately verify if their WordPress installations use the Sharable Password Protected Posts plugin and identify the version in use. If the plugin version is prior to 1.1.1, they should upgrade to the latest version as soon as it becomes available. In the absence of an official patch, administrators should consider disabling the plugin temporarily to prevent exposure. Additionally, organizations can restrict access to the WordPress REST API endpoints by implementing authentication requirements or IP whitelisting to prevent unauthorized retrieval of sensitive GET parameters. Web Application Firewalls (WAFs) can be configured to detect and block suspicious requests targeting the REST API that include the secret key parameter. Reviewing and minimizing the use of password-protected posts for highly sensitive data until the vulnerability is resolved is advisable. Monitoring logs for unusual access patterns to REST API endpoints can help detect exploitation attempts. Finally, organizations should educate content creators about the risks of sharing sensitive information via this plugin and encourage alternative secure sharing methods.