CVE-2025-58679

Vulnerability

Overview

The AppMySite plugin for WordPress, versions up to and including 3.15.0, contains a missing authorization vulnerability. This issue stems from incorrectly configured access control security levels, which can lead to exploitation by unprivileged users [1]. The vulnerability is classified as a broken access control issue, meaning that certain functions lack proper authorization, authentication, or nonce token checks [1].

Exploitation

An attacker who is an unprivileged user (e.g., a subscriber or lower) can exploit this missing authorization to perform actions that should require higher privileges. The attack does not require authentication bypass beyond the user's existing low-level access, and the vulnerability can be triggered without any special network position [1]. This type of vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation allows an attacker to execute higher-privileged actions within the plugin's functionality, potentially leading to unauthorized data access, modification, or other security breaches. The CVSS v3 base score is 5.3 (Medium), reflecting a moderate impact with low attack complexity [1].

Mitigation

The vulnerability has been addressed in version 3.15.1 of the AppMySite plugin. Users are strongly advised to update to this version or later immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-update for vulnerable plugins [1].