CVE-2025-58603: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in the Surfer WordPress plugin, identified as CVE-2025-58603. The vulnerability affects versions up to and including 1.6.4.574, allowing unauthenticated attackers to exploit incorrectly configured access control security levels. The vulnerability was disclosed on September 3, 2025 (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 base score of 5.3 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed. The impact primarily affects integrity with low severity, while confidentiality and availability remain unaffected (Patchstack, Rapid7).

The vulnerability allows unauthenticated attackers to perform unauthorized actions due to missing capability checks in the plugin's functions. The primary impact is on the system's integrity, though limited in scope (Rapid7).

Users are advised to update to version 1.6.5.584 or later to remediate this vulnerability. The security issue has been assessed as having a low severity impact and is considered unlikely to be exploited (Patchstack).