CVE-2025-58029

Vulnerability

Overview

CVE-2025-2025-58029 is a missing authorization vulnerability in the WordPress plugin Classic Widgets with Block-based Widgets, versions up to and including 1.0.1. The plugin fails to properly enforce access control checks, allowing unauthenticated users to access functionality that should be restricted to higher-privileged roles. This is a classic broken access control issue, where the plugin does not verify nonce tokens or user capabilities before executing certain actions [1].

Exploitation

An attacker can exploit this vulnerability without needing any authentication. By sending crafted requests to the affected plugin endpoints, they can trigger functions that are normally reserved for administrators or editors. The attack surface is the plugin's administrative interface, which is exposed to any visitor of the WordPress site. No special network position or prior access is required [1].

Impact

Successful exploitation allows an attacker to perform actions that should be constrained by access control lists (ACLs). This could include modifying widget configurations, accessing sensitive settings, or performing other unauthorized operations. The CVSS v3 base score is 5.3 (Medium), reflecting the potential for partial compromise of the site's functionality and data integrity [1].

Mitigation

The vendor has not released a patched version at the time of publication. Users are strongly advised to update the plugin to the latest available version as soon as a fix is released. If immediate updating is not possible, consider disabling the plugin or implementing a web application firewall rule to block unauthenticated requests to the plugin's endpoints. This vulnerability is noted as being used in mass-exploit campaigns, so prompt action is recommended [1].