CVE-2025-13842
Awaiting Analysis Awaiting Analysis - Queue
Authorization Bypass in Breadcrumb NavXT Plugin Exposes Private Posts

Publication date: 2026-02-19

Last updated on: 2026-02-19

Assigner: Wordfence

Description
The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting the $_REQUEST['post_id'] parameter without verification in the includes/blocks/build/breadcrumb-trail/render.php file. This makes it possible for unauthenticated attackers to enumerate and view breadcrumb trails for draft or private posts by manipulating the post_id parameter, revealing post titles and hierarchy that should remain hidden.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13842
EUVD
EUVD-2025-207863
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wordfence breadcrumb_navxt to 7.5.0 (inc)
breadcrumb_navxt breadcrumb_navxt to 7.5.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Breadcrumb NavXT plugin for WordPress has a vulnerability in versions up to and including 7.5.0 that allows unauthorized users to bypass authorization controls. This happens because the plugin's Gutenberg block renderer trusts the user-controlled 'post_id' parameter from the request without verifying it. As a result, attackers who are not logged in can manipulate this parameter to access breadcrumb trails for draft or private posts, which normally should not be visible.

Impact Analysis

This vulnerability can impact you by allowing unauthenticated attackers to view breadcrumb trails of draft or private posts on your WordPress site. This means sensitive information such as post titles and their hierarchical structure, which should be hidden, can be exposed. Although the impact is limited to information disclosure (confidentiality), it could lead to privacy concerns or leakage of unpublished content.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13842. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart