CVE-2025-58003

Vulnerability

Overview

CVE-2025-58003 is a missing authorization vulnerability in the Javo Core WordPress plugin (versions up to and including 3.0.0.266). The plugin fails to properly verify access control security levels, allowing exploitation of incorrectly configured access control mechanisms [1].

Exploitation

This broken access control issue means that functions within the plugin lack necessary authorization, authentication, or nonce token checks. As a result, an unprivileged user—potentially an unauthenticated attacker—can execute actions that should require higher privileges [1]. The vulnerability is particularly concerning because it is used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Impact

An attacker exploiting this vulnerability can bypass intended access restrictions, potentially gaining the ability to perform administrative actions or access sensitive data. The CVSS v3 base score of 5.3 (Medium) reflects the moderate severity, but the real-world impact is amplified by the ease of exploitation and the widespread use of the plugin [1].

Mitigation

The vendor has not released a patch for versions beyond 3.0.0.266; users are strongly advised to update the plugin immediately. If updating is not possible, users should contact their hosting provider or web developer for assistance. The vulnerability is actively used in mass-exploit campaigns, making prompt action critical [1].