CVE-2025-58198
BaseFortify
Publication date: 2025-08-27
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xpro | xpro_theme_builder | 1.2.9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Broken Access Control issue in the WordPress Xpro Theme Builder Plugin up to version 1.2.9. It occurs due to missing authorization, authentication, or nonce token checks in certain plugin functions, which can allow users with Contributor-level privileges to perform actions that should be restricted to higher privilege levels. Essentially, it means that the plugin does not properly enforce access controls, potentially letting less privileged users execute unauthorized actions. [1]
How can this vulnerability impact me? :
The vulnerability can allow users with Contributor privileges to perform unauthorized actions that are normally reserved for higher privilege levels. This can lead to unauthorized modifications or changes within the plugin or website, potentially compromising the integrity of the site. However, the CVSS score of 6.5 indicates a moderate severity, and it is considered unlikely to be widely exploited. Updating to version 1.2.10 or later mitigates this risk. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the WordPress site is running the Xpro Theme Builder plugin version 1.2.9 or earlier. Since the vulnerability arises from missing authorization checks in certain plugin functions, monitoring for unauthorized actions performed by users with Contributor privileges or lower may indicate exploitation attempts. Specific commands are not provided in the resources, but you can check the plugin version via WP-CLI with: `wp plugin list | grep xpro-theme-builder` to identify affected versions. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Xpro Theme Builder plugin to version 1.2.10 or later, where the vulnerability is resolved. Additionally, Patchstack offers virtual patching (vPatching) that can automatically mitigate this vulnerability before official patches are applied. Ensuring timely updates and applying virtual patching can protect against exploitation. [1]