CVE-2025-58680

Vulnerability

Overview CVE-2025-58680 is a missing authorization vulnerability in the Gutentor WordPress plugin, affecting versions from n/a through 3.5.2. The issue stems from incorrectly configured access control security levels, which means the plugin fails to properly verify user permissions before allowing certain actions. This is a classic broken access control flaw, as described in the Patchstack advisory [1].

Exploitation

An attacker can exploit this vulnerability without needing any prior authentication, as the missing authorization check allows unprivileged users to execute higher-privileged actions. The attack surface is broad because the plugin is widely used, and the vulnerability can be leveraged in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

Impact

Successful exploitation could allow an attacker to perform unauthorized actions within the WordPress site, such as modifying content or settings, depending on the specific functions affected by the missing authorization. The CVSS v3 base score of 6.5 (Medium) reflects the potential for significant impact without requiring complex attack conditions [1].

Mitigation

The vulnerability has been addressed in Gutentor version 3.5.3. Users are strongly advised to update immediately. If updating is not possible, consulting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1] plugins [1].