CVE-2025-7368 is a medium-severity vulnerability affecting the REHub WordPress theme, a popular theme used for price comparison and multi-vendor marketplace websites. The vulnerability arises from an information exposure flaw (CWE-200) in the 'ajax_action_re_getfullcontent' function. This function fails to properly restrict access to certain posts, allowing unauthenticated attackers to retrieve content from password-protected posts that should normally be inaccessible. Specifically, the theme does not enforce adequate access controls when handling AJAX requests to fetch full post content, resulting in unauthorized data disclosure. The vulnerability affects all versions up to and including 19.9.7. The CVSS 3.1 base score is 5.3, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impact limited to confidentiality (C:L) without affecting integrity or availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. This vulnerability could be exploited remotely by attackers without authentication, making it a significant risk for websites using this theme, especially those hosting sensitive or proprietary content behind password protection.

For European organizations using the REHub WordPress theme, this vulnerability poses a risk of unauthorized disclosure of sensitive or confidential information stored in password-protected posts. This could include proprietary pricing data, vendor information, or other business-critical content intended only for authorized users. Exposure of such data could lead to competitive disadvantage, reputational damage, or regulatory compliance issues, especially under GDPR where unauthorized data disclosure is a serious concern. Since the vulnerability does not affect data integrity or availability, the primary impact is confidentiality loss. However, the ease of exploitation (no authentication or user interaction required) increases the likelihood of data leakage incidents. Organizations operating e-commerce, marketplace, or price comparison platforms in Europe should be particularly vigilant, as attackers could leverage this flaw to gather intelligence or conduct further targeted attacks. The absence of known exploits in the wild suggests limited current exploitation, but the publicly available details and medium severity score warrant timely mitigation to prevent future abuse.

European organizations should immediately audit their WordPress installations to identify if the REHub theme (version 19.9.7 or earlier) is in use. Until an official patch is released, practical mitigations include disabling or restricting access to the vulnerable AJAX endpoint 'ajax_action_re_getfullcontent' via web application firewalls (WAFs) or server-level access controls to block unauthenticated requests. Implementing strict IP whitelisting or requiring authentication for AJAX requests related to post content retrieval can reduce exposure. Additionally, organizations should review and minimize the use of password-protected posts containing sensitive information, considering alternative secure content delivery methods. Monitoring web server logs for unusual or repeated access attempts to the vulnerable function can help detect exploitation attempts. Once a vendor patch becomes available, prompt application of the update is critical. Finally, organizations should ensure their WordPress core, themes, and plugins are regularly updated and conduct periodic security assessments to identify similar access control weaknesses.