CVE-2025-3058: 
WordPress vulnerability analysis and mitigation

The Xelion Webchat plugin for WordPress contains a privilege escalation vulnerability (CVE-2025-3058) due to a missing capability check in the xwcsavesettings() function. The vulnerability affects all versions up to and including 9.1.0. This security flaw was discovered and reported by Wordfence, with the initial disclosure made on April 24, 2025 (NVD).

The vulnerability stems from a missing authorization check in the xwcsavesettings() function within the WordPress plugin. The CVSS v3.1 base score is 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-862 (Missing Authorization). The vulnerability allows authenticated attackers with Subscriber-level access or higher to update arbitrary options on the WordPress site (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access to modify arbitrary WordPress site options. Specifically, attackers can update the default role for new user registrations to administrator and enable user registration, effectively gaining administrative access to the vulnerable site (NVD).

Site administrators should immediately update the Xelion Webchat plugin to a version newer than 9.1.0 when available. Until a patch is released, it is recommended to review and restrict user roles and permissions, particularly focusing on limiting access to the plugin's functionality (NVD).