The Broadstreet plugin for WordPress contains a sensitive information exposure vulnerability (CWE-200) in all versions up to 1.53.1. This vulnerability arises from the get_sponsored_meta() AJAX action, which improperly allows authenticated users with subscriber-level privileges or higher to retrieve sensitive data that should be restricted, such as password-protected and private business details. The CVSS 3.1 base score is 5.3, indicating medium severity, with network attack vector, low attack complexity, no privileges required, no user interaction, and limited confidentiality impact. No official patch or remediation level has been provided by the vendor as of the publication date.

An attacker with subscriber-level or higher access to a WordPress site using the vulnerable Broadstreet plugin can extract sensitive information that should be protected, including password-protected and private business details. This exposure could lead to unauthorized disclosure of confidential data. There is no indication of impact on integrity or availability. No known exploits have been reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict subscriber-level access to trusted users only and monitor for unusual activity involving the get_sponsored_meta() AJAX action. Avoid granting unnecessary privileges to users and consider disabling or removing the Broadstreet plugin if sensitive data exposure risk is unacceptable.