CVE-2025-58617: 
WordPress vulnerability analysis and mitigation

The F4 Media Taxonomies WordPress plugin versions up to 1.1.4 contains a Missing Authorization/Broken Access Control vulnerability (CVE-2025-58617). The vulnerability was discovered by Nabil Irawan and was publicly disclosed on September 3, 2025. This security issue affects the plugin's access control mechanisms and has been assigned a CVSS score of 4.3 (Low severity) (Patchstack).

The vulnerability stems from a missing capability check on a function that allows authenticated users with Subscriber-level access or higher to perform unauthorized actions. The issue has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. This indicates network vector accessibility, low attack complexity, low privileges required, no user interaction needed, unchanged scope, no impact on confidentiality, low impact on integrity, and no impact on availability (Rapid7).

The vulnerability allows authenticated attackers with Subscriber-level privileges to execute unauthorized actions within the plugin's functionality. While the overall severity is considered low, it represents a security weakness in the plugin's access control implementation that could potentially be exploited to perform actions beyond the intended privilege level (Patchstack).

Users are advised to update to version 1.1.5 or later of the F4 Media Taxonomies plugin, which contains the fix for this vulnerability. The security issue has been patched in the updated version, and upgrading is the recommended solution to address the vulnerability (Patchstack).