CVE-2025-58849: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Deepak S Hide Real Download Path WordPress plugin that allows Stored XSS attacks. The vulnerability, tracked as CVE-2025-58849, affects versions through 1.6 of the plugin. The issue was discovered by Nguyen Xuan Chien and was publicly disclosed on September 5, 2025 (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The attack vector is network-based (AV:N), with low attack complexity (AC:L), requires no privileges (PR:N), and needs user interaction (UI:R). The scope is changed (S:C) with low impacts to confidentiality, integrity, and availability (Patchstack).

The vulnerability allows attackers to perform Cross-Site Request Forgery attacks that can lead to Stored XSS. This could enable malicious actors to force higher privileged users to execute unwanted actions under their current authentication level (Patchstack).

No official fix is available as the software appears to be abandoned, having not received updates for over a year. The recommended mitigation is to remove and replace the plugin with an alternative solution (Patchstack).