CVE-2025-7368 in Rehub Plugin
Summary
by MITRE • 09/06/2025
The REHub - Price Comparison, Multi Vendor Marketplace Wordpress Theme theme for WordPress is vulnerable to Information Exposure in all versions up to, and including, 19.9.7 via the 'ajax_action_re_getfullcontent' function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected posts that they should not have access to.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/06/2025
The vulnerability identified as CVE-2025-7368 affects the REHub - Price Comparison, Multi Vendor Marketplace WordPress theme version 19.9.7 and earlier, representing a critical information exposure flaw that undermines the security model of WordPress sites utilizing this theme. This weakness resides within the 'ajax_action_re_getfullcontent' function which processes AJAX requests to retrieve post content, creating an avenue for unauthorized data access that directly violates fundamental security principles of access control and information confidentiality.
The technical implementation of this vulnerability stems from inadequate input validation and access control mechanisms within the theme's AJAX handler. When the 'ajax_action_re_getfullcontent' function processes requests, it fails to properly verify whether the requesting user has legitimate authorization to access specific posts, particularly those that are password protected or otherwise restricted. This flaw allows unauthenticated attackers to craft malicious AJAX requests that bypass normal WordPress access controls, enabling them to retrieve content from posts that should remain inaccessible. The vulnerability operates at the application layer and can be exploited through standard web browser interfaces without requiring any special privileges or tools.
The operational impact of this vulnerability extends beyond simple data leakage, as it creates a persistent security risk for websites using the affected theme. Attackers can systematically enumerate protected content, potentially accessing sensitive commercial information, private communications, or proprietary data that vendors might have intended to keep confidential within their marketplace platform. This exposure particularly affects multi-vendor marketplaces where vendors might share password-protected posts containing product details, pricing information, or customer communications. The vulnerability enables attackers to extract structured data that could be used for competitive intelligence, fraud, or further exploitation of the affected platform.
Security professionals should note this vulnerability maps to CWE-200, Information Exposure, and aligns with ATT&CK technique T1213.002 Access Data: Web Shell, as it enables unauthorized data access through web application interfaces. Organizations using the REHub theme must immediately implement mitigations including updating to the latest theme version, implementing proper access control restrictions, and monitoring for unauthorized AJAX requests. The recommended approach involves validating user authentication status and post access permissions before processing any AJAX requests through the vulnerable function. Additionally, implementing rate limiting and request validation mechanisms can help reduce the effectiveness of automated exploitation attempts while maintaining legitimate functionality for authorized users.