CVE-2025-58866
BaseFortify
Publication date: 2025-09-05
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | wordpress_site_info_plugin | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-497 | The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability, identified as CVE-2025-58866, affects the WordPress Site Info Plugin versions up to 1.1. It is a Sensitive Data Exposure issue classified under OWASP Top 10 category A1: Broken Access Control. A malicious actor with Editor-level privileges can access sensitive information that should not be available to regular users, potentially enabling further exploitation of the system. The plugin is abandoned with no official fix available. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with Editor-level access to retrieve sensitive system information that should be restricted. This exposure can lead to further exploitation of the system, potentially compromising site security. Since the plugin is abandoned and unpatched, the risk persists unless mitigated by virtual patching or removal of the plugin. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands provided for this vulnerability. Detection involves identifying if the WordPress Site Info Plugin version 1.1 or earlier is installed and active, as these versions are vulnerable. Since the vulnerability allows Editor-level users to access sensitive data improperly, reviewing user roles and plugin versions in the WordPress admin dashboard can help detect exposure. No direct network or system commands are suggested in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing and replacing the vulnerable Site Info Plugin, as there is no official patch or update available. Applying a virtual patch (vPatch) offered by Patchstack can also mitigate the vulnerability automatically. Deactivating the plugin alone is insufficient to eliminate the risk. Users are advised to consider alternative software and seek professional incident response if compromise is suspected. [1]