CVE-2025-58649
BaseFortify
Publication date: 2025-09-22
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | all_in_one_seo_pack | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-58649 is a Sensitive Data Exposure vulnerability in the WordPress All In One SEO Pack plugin (up to version 4.8.7). It allows a malicious user with Contributor-level privileges to access sensitive information that should normally be restricted. This vulnerability falls under the OWASP Top 10 category A1: Broken Access Control. Although it has a low severity rating (CVSS 4.3), the exposed data could be used to exploit other system weaknesses. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with Contributor-level access to retrieve sensitive information that is normally protected. The exposure of this data could lead to further exploitation of the system or compromise of additional information. While the severity is considered low and widespread exploitation is unlikely, it still poses a risk to the confidentiality of sensitive data within the affected WordPress site. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the WordPress All In One SEO Pack plugin version is up to and including 4.8.7 and monitoring for unauthorized access by users with Contributor-level privileges to sensitive data. Since plugin-based malware scanners may be unreliable, it is recommended to perform server-side malware scanning and engage professional incident response if compromise is suspected. Specific commands are not provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the virtual patch (vPatch) provided by Patchstack to protect against exploitation without requiring an official plugin update. Additionally, monitoring for suspicious activity and performing server-side malware scanning are advised. Since no official fix is available as of the report date, these measures help reduce risk. [1]