Executive Summary

CVE-2025-58649 is a Sensitive Data Exposure vulnerability in the WordPress All In One SEO Pack plugin (up to version 4.8.7). It allows a malicious user with Contributor-level privileges to access sensitive information that should normally be restricted. This vulnerability falls under the OWASP Top 10 category A1: Broken Access Control. Although it has a low severity rating (CVSS 4.3), the exposed data could be used to exploit other system weaknesses. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with Contributor-level access to retrieve sensitive information that is normally protected. The exposure of this data could lead to further exploitation of the system or compromise of additional information. While the severity is considered low and widespread exploitation is unlikely, it still poses a risk to the confidentiality of sensitive data within the affected WordPress site. [1]

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking if the WordPress All In One SEO Pack plugin version is up to and including 4.8.7 and monitoring for unauthorized access by users with Contributor-level privileges to sensitive data. Since plugin-based malware scanners may be unreliable, it is recommended to perform server-side malware scanning and engage professional incident response if compromise is suspected. Specific commands are not provided in the available resources. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the virtual patch (vPatch) provided by Patchstack to protect against exploitation without requiring an official plugin update. Additionally, monitoring for suspicious activity and performing server-side malware scanning are advised. Since no official fix is available as of the report date, these measures help reduce risk. [1]

Useful 0 Not Useful 0