CVE-2025-58678: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in PickPlugins Accordion WordPress plugin affecting versions through 2.3.14. The vulnerability was reported by security researcher Abu Hurayra on August 17, 2025, and was publicly disclosed on September 22, 2025. The issue was assigned CVE-2025-58678 and relates to broken access control that allows exploiting incorrectly configured access control security levels (Patchstack).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 base score of 6.5 (Medium). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating that the vulnerability requires network access, low attack complexity, and low privileges to exploit. No user interaction is required for exploitation (Patchstack, NVD).

The vulnerability allows an attacker with contributor-level access to execute higher privileged actions due to broken access control mechanisms. The CVSS metrics indicate that while there is potential for high confidentiality impact, there are no direct impacts on integrity or availability of the system (Patchstack).

The vulnerability has been fixed in version 2.3.16 of the Accordion plugin. Users are advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update functionality for vulnerable plugins as an additional security measure (Patchstack).