CVE-2025-58986

Vulnerability

Overview The Jock On Air Now (JOAN) WordPress plugin through version 6.0.4 suffers from a missing authorization vulnerability [1]. This issue is categorized as broken access control, meaning the plugin fails to properly verify a user's privileges before allowing certain actions [1]. The root cause is incorrectly configured access control security levels, which can permit lower-privileged users to perform elevated actions intended only for administrators.

Exploitation

Method An attacker exploiting this vulnerability needs no special authentication beyond a basic WordPress user account. By leveraging the missing authorization checks, an unauthenticated or low-privilege attacker can interact with functions that should be restricted to higher-privilege roles [1]. The attack surface is the WordPress admin interface and plugin-specific endpoints that do not enforce proper capability checks.

Impact

Successful exploitation allows an attacker to carry out actions such as modifying plugin settings, accessing sensitive data, or potentially escalating privileges within the WordPress site [1]. Since the plugin is used across thousands of sites, this vulnerability is considered moderately dangerous and is expected to be included in mass-exploit campaigns [1].

Mitigation

The vulnerability is fixed in version 6.0.5 of the JOAN plugin [1]. Users are strongly advised to update immediately. For those unable to update, Patchstack has issued a mitigation rule to block exploitation attempts until the update can be applied [1]. No workaround other than updating is currently recommended.