CVE-2025-46258
BaseFortify
Publication date: 2025-06-05
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-46258 is a Broken Access Control vulnerability in the WordPress Element Pack Pro Plugin versions before 8.0.0. It occurs due to missing authorization, authentication, or nonce token checks in certain plugin functions, allowing users with subscriber-level privileges to perform actions that should be restricted to higher privilege levels. This flaw enables unauthorized privilege escalation within the plugin. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with subscriber-level access to escalate their privileges and perform unauthorized actions within the affected WordPress plugin. Although the severity is considered low (CVSS score 5.4), it still poses a risk of unauthorized access and potential misuse of plugin functionality, which could compromise the security or integrity of the website. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the WordPress site is running Element Pack Pro Plugin versions prior to 8.0.0. Since the vulnerability allows unprivileged users (subscriber-level) to perform unauthorized actions, monitoring for unusual privilege escalations or unauthorized actions by low-privilege users can help detect exploitation attempts. Specific commands are not provided in the resources, but general steps include verifying the plugin version via WordPress admin or command line (e.g., wp-cli: `wp plugin list`), and reviewing access logs for suspicious activity. Additionally, professional incident response and server-side malware scanning are recommended if compromise is suspected. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate recommended mitigation is to update the Element Pack Pro Plugin to version 8.0.0 or later, where the vulnerability is fixed. As an interim measure, Patchstack offers virtual patching (vPatching) that automatically mitigates the vulnerability even if the official patch is not applied. Users should also consider enabling auto-update options for the plugin and perform professional incident response and server-side malware scanning if compromise is suspected. [1]