CVE-2025-58597
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-03

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Authorization Bypass Through User-Controlled Key vulnerability in Tomdever wpForo Forum wpforo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpForo Forum: from n/a through <= 2.4.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-03
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2025-09-03
EPSS Evaluated
2026-06-14
NVD
CVE-2025-58597
EUVD
EUVD-2025-26569
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
tomdever wpforo_forum 2.4.6
tomdever wpforo_forum *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-58597 is an Insecure Direct Object References (IDOR) vulnerability in the WordPress wpForo Forum Plugin versions up to 2.4.6. It allows a malicious user with subscriber-level privileges to bypass authorization and authentication controls, potentially gaining unauthorized access to sensitive files, folders, or database interactions. This is due to incorrectly configured access control security levels. The vulnerability is classified under OWASP Top 10 category A1: Broken Access Control and has a low severity rating with a CVSS score of 4.3. The issue is fixed in version 2.4.7. [1]

Impact Analysis

This vulnerability can allow an attacker with subscriber-level access to bypass normal authorization controls and access sensitive data or resources they should not have permission to view or modify. Although the severity is low and exploitation is considered unlikely, successful exploitation could lead to unauthorized access to files, folders, or database content, potentially compromising the confidentiality or integrity of information on the affected forum. [1]

Detection Guidance

Detection of this vulnerability involves checking if the wpForo Forum Plugin version is 2.4.6 or earlier, as these versions are affected. Since the vulnerability allows authorization bypass via Insecure Direct Object References (IDOR), monitoring for unusual access patterns or unauthorized access attempts to sensitive files or database interactions by subscriber-level users may help. However, no specific detection commands are provided. It is recommended to use professional incident response services and server-side malware scanning to detect possible exploitation, as plugin-based malware scanners may be unreliable due to tampering. [1]

Mitigation Strategies

The immediate mitigation step is to update the wpForo Forum Plugin to version 2.4.7 or later, where the vulnerability is fixed. Alternatively, enabling Patchstack's virtual patching (vPatching) can provide immediate protection before official patches are applied. Additionally, enabling auto-updates for vulnerable plugins is recommended to ensure timely protection. If a compromise is suspected, professional incident response and server-side malware scanning should be conducted. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58597. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart