Two WordPress Core Vulnerabilities Disclosed Without Patch: Sensitive Data Exposure and Stored XSS

Two vulnerabilities were found in WordPress Core, affecting all versions up to and including 6.8.2. Both flaws were accidentally made public by a third-party before patches were available, though the disclosure was coordinated with the WordPress security team.

The first flaw, CVE-2025-58246, is classified as a Sensitive Information Exposure vulnerability. It affects WordPress Core up to version 6.8.2 and carries a CVSS score of 4.3, placing it in the “Medium” severity category.

The vulnerability could allow authenticated users with Contributor-level access or higher to extract sensitive data, potentially including configuration or user-related details. While this type of exposure is not immediately exploitable for large-scale attacks, it still presents privacy and information leakage risks, especially for multi-user WordPress environments.

According to the disclosure, the bug was unintentionally revealed by a third-party researcher. WordPress has confirmed that the security team is actively working on a fix, but as of now, no official patch is available.

The second issue, CVE-2025-58674, poses a more significant risk. It is a Stored Cross-Site Scripting (XSS) vulnerability in WordPress Core up to version 6.8.2. The flaw, rated CVSS 6.4, stems from insufficient input sanitization and output escaping.

This vulnerability allows authenticated users with Author-level access or higher to inject arbitrary JavaScript into WordPress pages. Once injected, the malicious code would execute in the browsers of any visitors or administrators viewing the compromised page, potentially enabling session hijacking, credential theft, or redirection to malicious sites.

Like CVE-2025-58246, this vulnerability was disclosed prematurely and remains unpatched. However, WordPress has emphasized that the current risk to site owners is considered low while mitigation work is underway.

Although the WordPress Security Team has downplayed the immediate risk of these vulnerabilities, site owners should take precautionary measures:

• Restrict Contributor and Author access: Limit user roles to only those who absolutely require them.
• Monitor user activity: Keep an eye out for unusual Contributor/Author actions, such as unexpected content injections.
• Harden security plugins: Use reputable WordPress security plugins that provide logging, XSS detection, and role management.
• Stay alert for patch releases: A security update addressing these flaws is expected soon.

Related Posts:

• Google Cloud Mishap: Accidental Deletion of $125 Billion Pension Fund’s Account Raises Concerns
• GitLab Update: High-Severity XSS & Data Exposure Flaws Patched
• AMD’s FSR 4 Leaked: The Accidental Open Source Release
• WordPress Issues Urgent Security Update to Patch Multiple Vulnerabilities

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy