CVE-2025-58608: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-58608) was discovered in BuddyDev MediaPress plugin for WordPress, affecting versions up to and including 1.5.9.1. The vulnerability was disclosed on September 3, 2025, and allows authenticated users with contributor-level access to perform PHP Local File Inclusion attacks (Patchstack, Rapid7).

The vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). It received a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The scoring indicates network attack vector, high attack complexity, low privileges required, no user interaction needed, and high impact on confidentiality, integrity, and availability (Patchstack).

The vulnerability allows authenticated attackers with contributor-level access to include and execute arbitrary files on the server, potentially leading to the execution of any PHP code in those files. This can be exploited to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included (Rapid7).

Users are advised to update to MediaPress version 1.6.0 or later to remediate this vulnerability. The security issue has been assessed as having a low severity impact and is considered unlikely to be exploited (Patchstack).