Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
WordPress Breadcrumb NavXT plugin exposes draft and private post information
CVE-2025-13842
Summary
The Breadcrumb NavXT plugin for WordPress allows unauthorized access to sensitive post information. This can happen if an attacker manipulates a specific parameter in the URL. To protect your site, update the plugin to version 7.5.1 or later.
Original title
The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusti...
Original description
The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting the $_REQUEST['post_id'] parameter without verification in the includes/blocks/build/breadcrumb-trail/render.php file. This makes it possible for unauthenticated attackers to enumerate and view breadcrumb trails for draft or private posts by manipulating the post_id parameter, revealing post titles and hierarchy that should remain hidden.
nvd CVSS3.1
5.3
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026