CVE-2025-58660

Vulnerability

Overview The Oshine Core plugin for WordPress, versions up to and including 1.5.5, suffers from a missing authorization vulnerability. This flaw stems from incorrect configuration of access control security levels, meaning that certain functions or endpoints lack proper authorization checks. As a result, the plugin fails to verify whether a user has the necessary permissions to perform sensitive actions.

Attack

Vector and Exploitation The vulnerability is classified as Broken Access Control (CWE-862), which can be exploited by attackers without needing prior authentication in some cases, or by low-privileged users such as subscribers. An attacker positioned on the same network or remotely can send crafted requests to the affected plugin's endpoints, bypassing security checks. The attack does not require any special conditions beyond the ability to interact with the WordPress site where the plugin is installed.

Impact

Successful exploitation allows an attacker to perform actions that should be restricted to higher-privileged users, such as administrators. This could include modifying settings, accessing sensitive data, or escalating privileges within the WordPress environment. The vulnerability has been used in mass-exploit campaigns, targeting thousands of websites regardless of their traffic size, making it a critical risk for site owners who have not updated.

Mitigation

Steps Users are strongly advised to update the Oshine Core plugin to a patched version as soon as possible. If immediate updating is not feasible, contacting the hosting provider or a web developer for assistance is recommended. No workarounds other than updating have been disclosed at this time. The vulnerability was publicly reported via Patchstack [1].