CVE-2025-7368 is a medium-severity vulnerability affecting the REHub WordPress theme, specifically versions up to and including 19.9.7. The issue arises from the 'ajax_action_re_getfullcontent' function, which lacks sufficient access control checks on which posts can be retrieved via AJAX requests. This flaw allows unauthenticated attackers to bypass intended access restrictions and extract content from password-protected posts. The vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. Exploitation does not require authentication or user interaction, and the attack vector is network-based (remote). The vulnerability impacts confidentiality but does not affect integrity or availability. There are no known exploits in the wild at this time, and no official patches have been released yet. The CVSS v3.1 base score is 5.3, reflecting a medium severity level due to ease of exploitation combined with limited impact scope.

For European organizations using the REHub WordPress theme, this vulnerability poses a risk of unauthorized data disclosure. Sensitive or proprietary information stored in password-protected posts—such as pricing data, vendor details, or internal communications—could be exposed to attackers without any authentication. This could lead to competitive disadvantage, reputational damage, or regulatory compliance issues, especially under GDPR where unauthorized data exposure can result in significant fines. Since REHub is a popular theme for e-commerce and multi-vendor marketplaces, businesses relying on it for online sales or price comparison services may face confidentiality breaches. The impact is primarily on confidentiality, with no direct effect on system integrity or availability. However, the exposure of sensitive business data can indirectly affect trust and operational security.

European organizations should immediately audit their WordPress installations to identify if the REHub theme is in use and confirm the version. Until an official patch is released, organizations should consider the following mitigations: 1) Disable or restrict access to the vulnerable AJAX endpoint ('ajax_action_re_getfullcontent') via web application firewall (WAF) rules or server configuration to block unauthenticated requests. 2) Implement additional access controls at the web server or application level to enforce authentication before allowing access to sensitive post content. 3) Review and limit the use of password-protected posts containing sensitive information, possibly migrating such content to more secure platforms or plugins with robust access controls. 4) Monitor web server logs for suspicious access patterns targeting the AJAX endpoint. 5) Plan for timely updates to the REHub theme once a security patch is released by the vendor. 6) Consider deploying security plugins that can detect and block unauthorized content scraping attempts.