CVE-2025-7368 is a medium-severity vulnerability affecting the sizam REHub - Price Comparison, Multi Vendor Marketplace WordPress theme in all versions up to and including 19.9.7. The vulnerability arises from insufficient access control in the 'ajax_action_re_getfullcontent' AJAX function, which is intended to retrieve full post content. Due to improper restrictions, unauthenticated attackers can exploit this function to extract content from password-protected posts that should normally be inaccessible without proper credentials. This exposure violates confidentiality (CWE-200) but does not affect data integrity or availability. The vulnerability can be exploited remotely over the network without any authentication or user interaction, making it relatively easy to abuse. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) confirms that the attack surface is broad and the impact is limited to confidentiality loss. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The REHub theme is popular among WordPress sites focused on price comparison and multi-vendor marketplace functionalities, which often handle sensitive commercial data. Attackers could leverage this flaw to harvest confidential information, potentially leading to competitive intelligence leaks or privacy violations. The vulnerability underscores the importance of enforcing strict access controls on AJAX endpoints and validating user permissions before serving protected content.

The primary impact of CVE-2025-7368 is unauthorized disclosure of sensitive information contained in password-protected posts on websites using the vulnerable REHub theme. This can lead to breaches of confidentiality, exposing business-sensitive data, pricing strategies, vendor information, or customer details. For e-commerce and marketplace platforms, such data leaks could undermine competitive advantage, damage reputation, and violate privacy regulations. Although the vulnerability does not affect data integrity or availability, the exposure of protected content can facilitate further targeted attacks or social engineering. Organizations worldwide that rely on this theme for their WordPress sites are at risk, especially those with sensitive or proprietary content behind password protection. The ease of exploitation without authentication increases the likelihood of automated scanning and data harvesting by attackers. While no known exploits are currently reported, the vulnerability's public disclosure may prompt threat actors to develop exploit tools, increasing risk over time.

To mitigate CVE-2025-7368, organizations should immediately verify if their WordPress installations use the sizam REHub theme, particularly versions up to 19.9.7. If a patch becomes available, apply it promptly. In the absence of an official fix, consider the following specific measures: (1) Restrict access to the 'ajax_action_re_getfullcontent' AJAX endpoint by implementing server-side access controls, such as IP whitelisting or requiring authentication tokens. (2) Modify the theme code to add proper permission checks ensuring only authorized users can retrieve password-protected post content. (3) Disable or replace the vulnerable AJAX functionality if it is not essential to site operations. (4) Monitor web server and application logs for unusual or repeated requests to the affected AJAX function to detect potential exploitation attempts. (5) Employ Web Application Firewalls (WAFs) with custom rules to block suspicious AJAX requests targeting this endpoint. (6) Educate site administrators about the risks of using outdated themes and the importance of timely updates. (7) Regularly audit all WordPress plugins and themes for security compliance and remove unused or unsupported components.