CVE-2025-58007
BaseFortify
Publication date: 2025-09-22
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | social_pug | 1.35.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-497 | The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-58007 is a Sensitive Data Exposure vulnerability in the WordPress Social Pug Plugin (versions up to 1.35.1). It allows a malicious user with subscriber-level privileges to access sensitive system information that should normally be restricted. This vulnerability falls under the OWASP Top 10 category A1: Broken Access Control, meaning it involves improper restriction of access to sensitive data. Although the severity is considered low (CVSS score 4.3), the exposed data could potentially be used to exploit other weaknesses in the system. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a low-privileged user (subscriber-level) to retrieve sensitive information that should be protected. While the direct impact is limited (no integrity or availability loss), the exposure of sensitive data could be leveraged by attackers to find further vulnerabilities or escalate attacks. The risk is considered low and exploitation unlikely, but it still poses a security concern. There is currently no official patch, but virtual patching is available to mitigate the risk. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unauthorized access attempts by users with subscriber-level privileges to sensitive data normally restricted. Since no specific detection commands are provided, general recommendations include server-side malware scanning and monitoring access logs for unusual data retrieval patterns by low-privilege accounts. Using WordPress security plugins to audit user activities and access controls may also help identify exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying Patchstack's virtual patching (vPatching) solution, which auto-mitigates the vulnerability even without an official fix. Additionally, users should monitor for updates from the plugin developer, implement server-side malware scanning, restrict subscriber-level access where possible, and consider professional incident response if compromise is suspected. [1]