CVE-2025-13842

Breadcrumb NavXT <= 7.5.0 - Missing Authorization to Sensitive Information Exposure

CVSS 5.3 MEDIUMEPSS 0.3%CWE-639

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 5.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

19 feb 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting the $_REQUEST['post_id'] parameter without verification in the includes/blocks/build/breadcrumb-trail/render.php file. This makes it possible for unauthenticated attackers to enumerate and view breadcrumb trails for draft or private posts by manipulating the post_id parameter, revealing post titles and hierarchy that should remain hidden.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Productos afectados

mtekk · Breadcrumb NavXT

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://plugins.trac.wordpress.org/browser/breadcrumb-navxt/trunk/includes/blocks/build/breadcrumb-trail/render.php#L17 https://plugins.trac.wordpress.org/changeset/3425008 https://www.wordfence.com/threat-intel/vulnerabilities/id/62e25985-ac19-41a5-8027-eb053f4a6490?source=cve