CVE-2025-58663: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-58663) was discovered in Themeum Qubely WordPress plugin affecting versions through 1.8.14. The vulnerability was reported by Denver Jackson on August 14, 2025, and was publicly disclosed on September 22, 2025. The issue relates to broken access control in the plugin's security configuration (Patchstack).

The vulnerability is classified as CWE-862 (Missing Authorization) and received a CVSS 3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The issue stems from a missing authorization, authentication, or nonce token check in a function that could allow an unprivileged user to execute certain higher privileged actions (Patchstack, NVD).

The vulnerability has been assessed as having a low severity impact and is considered unlikely to be exploited. It primarily affects the integrity of the system, as indicated by the CVSS metrics showing impact on integrity (I:L) while confidentiality and availability remain unaffected (Patchstack).

As of the latest reports, no official fix is available for this vulnerability. The issue affects Qubely versions through 1.8.14, and users with Contributor-level privileges or higher could potentially exploit this vulnerability (Patchstack).