CVE-2025-58841
BaseFortify
Publication date: 2025-09-05
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | media_author | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Broken Access Control issue in the WordPress Media Author Plugin (up to version 1.0.4) that allows users with Author-level privileges to perform actions that should be restricted to higher-privileged roles. It occurs due to missing authorization, authentication, or nonce token checks in certain functions, enabling privilege escalation. [1]
How can this vulnerability impact me? :
The vulnerability allows an attacker with Author-level access to escalate their privileges and perform actions reserved for higher-privileged users. This can lead to unauthorized changes or disruptions within the WordPress site. Since the plugin is abandoned and no official fix exists, the risk remains unless a virtual patch is applied or the plugin is replaced. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the WordPress Media Author Plugin version is 1.0.4 or earlier, as these versions are affected. Since the vulnerability involves broken access control allowing privilege escalation from Author-level users, monitoring for unauthorized privilege escalation attempts or unusual role changes in WordPress logs may help detect exploitation. Specific commands are not provided, but inspecting the plugin version via WordPress admin or using WP-CLI commands like 'wp plugin list' to verify the plugin version can assist in detection. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include urgently replacing the Media Author plugin with an alternative plugin, as no official fix or updated version is available. Applying a virtual patch (vPatch) provided by Patchstack can auto-mitigate the vulnerability without an official patch. Simply deactivating the plugin does not eliminate the risk. Therefore, either apply the virtual patch or replace the plugin to reduce exposure. [1]