CVE-2025-3058

Published Apr 24, 2025

Last updated 2 months ago

CVSS high 8.8

Overview

Description
The Xelion Webchat plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the xwc_save_settings() function in all versions up to, and including, 9.1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Source
security@wordfence.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Primary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security@wordfence.com
CWE-862

Social media

Hype score
Not currently trending

  1. 🚨 CVE-2025-3058 🔴 HIGH (8.8) 🏢 jauharixelion - Xelion Webchat 🏗️ * 🔗 https://t.co/8PlrMqVaPz 🔗 https://t.co/FNyWy7ycn5 #CyberCron #VulnAlert #InfoSec https://t.co/Btz9CJHfjc

    @cybercronai

    24 Apr 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. New post from https://t.co/uXvPWJy6tj (CVE-2025-3058 | Jauhari Xelion Xelion Webchat Plugin up to 9.1.0 on WordPress Setting xwc_save_settings authorization) has been published on https://t.co/tvxggD0It5

    @WolfgangSesin

    24 Apr 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. �� CVE-2025-3058 - WordPress - HIGH 🚨 🗓️ Date published 2025-04-24 09:15:30 UTC #WordPress #CyberSecurity #InfoSec #Vulnerability #TechNews https://t.co/iYT76EpFJ4

    @vulns_space

    24 Apr 2025

    29 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  4. [CVE-2025-3058: HIGH] Xelion Webchat plugin for WordPress (up to version 9.1.0) is prone to data manipulation, escalating privileges via xwc_save_settings function. Attacker access and admin role change risks.#cve,CVE-2025-3058,#cybersecurity https://t.co/oj9HdC8BhG https://t.co/

    @CveFindCom

    24 Apr 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-3058 The Xelion Webchat plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on th… https://t.co/SymqdlQJhE

    @CVEnew

    24 Apr 2025

    334 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.