CVE-2025-58980

Vulnerability

Overview

The Export WP Page to Static HTML/CSS plugin for WordPress suffers from a missing authorization vulnerability (Broken Access Control) affecting versions from n/a through 4.1.0 [1]. This flaw allows an attacker to access functionality that should be restricted to higher-privileged users, as the plugin fails to properly enforce access controls on certain operations.

Exploitation

No authentication is required to exploit this vulnerability, making it accessible to any unauthenticated visitor. The attack can be carried out over the network without any special privileges or user interaction [1]. This low-complexity attack vector is particularly dangerous because it can be automated to target thousands of sites in mass-exploit campaigns.

Impact

A successful exploit permits an unauthenticated attacker to access functionality that is normally constrained to administrators, such as potentially modifying plugin settings or exporting sensitive data [1]. While the CVSS score of 5.3 indicates medium severity, the ease of exploitation raises the practical risk.

Mitigation

The vulnerability has been addressed in version 4.2.0 of the plugin. Users are strongly advised to update immediately. If updating is not possible, administrators should consider disabling the plugin or applying additional access controls via web application firewall rules until an update can be applied [1].