CVE-2025-58258

Vulnerability

Description

The Lazy Blocks WordPress plugin, versions 4.1.0 and earlier, contains a missing authorization vulnerability [1]. This is a broken access control issue where the plugin fails to properly verify authentication or nonce tokens on certain functions [1]. The flaw allows an attacker to exploit incorrectly configured access control security levels.

Exploitation

The vulnerability can be exploited by an unprivileged user who can send crafted requests to the vulnerable plugin [1]. No special network position or complex prerequisites are mentioned beyond having a basic user account or being able to interact with the plugin's endpoints. This type of vulnerability is often used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation could allow an unprivileged user to execute higher-privileged actions that should be restricted [1]. The CVSS score of 4.3 (Medium) indicates a moderate severity, with a low likelihood of exploitation in typical scenarios [1].

Mitigation

The issue has been patched in version 4.1.1 of the Lazy Blocks plugin [1]. Users are strongly advised to update immediately. For those unable to update, assistance from a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].