CVE-2025-58192
BaseFortify
Publication date: 2025-08-27
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xylus_themes | wp_bulk_delete | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-58192 is a Broken Access Control vulnerability in the WordPress WP Bulk Delete Plugin versions up to 1.3.6. It occurs due to missing authorization, authentication, or nonce token checks in certain plugin functions, which can allow users with low privileges (Subscriber-level) to perform actions meant for higher-privileged users. This flaw is categorized under OWASP Top 10 A1: Broken Access Control and has a low severity rating with a CVSS score of 4.3. [1]
How can this vulnerability impact me? :
This vulnerability can allow unprivileged users to perform restricted actions within the WP Bulk Delete plugin, potentially leading to unauthorized deletion or modification of data managed by the plugin. Although it has a low severity and is considered unlikely to be exploited, attackers may opportunistically automate exploitation against vulnerable sites. If exploited, it could compromise the integrity of data handled by the plugin. Mitigation involves updating to version 1.3.7 or later or using Patchstack's virtual patching solution. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or network indicators provided for this vulnerability. Detection would likely involve verifying the plugin version of WP Bulk Delete installed on your WordPress site to see if it is version 1.3.6 or earlier, which are vulnerable. Additionally, monitoring for unauthorized actions performed by Subscriber-level users could indicate exploitation, but no explicit commands or tools are mentioned. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the WP Bulk Delete plugin to version 1.3.7 or later, where the vulnerability is fixed. Alternatively, applying Patchstack's virtual patching (vPatching) solution can provide automatic mitigation before official patches are applied. In case of suspected compromise, seek professional incident response or server-side malware scanning rather than relying solely on plugin-based malware scanners. [1]