CVE-2025-58957: 
WordPress vulnerability analysis and mitigation

CVE-2025-58957 is a Missing Authorization vulnerability discovered in the VPSUForm WordPress plugin, a No-Code Custom Form Builder. The vulnerability was identified by security researcher Legion Hunter on September 9, 2025, and was officially published on September 22, 2025. This security issue affects all versions of VPSUForm up to and including version 3.2.20 (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) due to missing authorization checks in certain plugin functions. It has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The technical nature of the vulnerability involves missing capability checks that should restrict access to certain plugin functionalities (Rapid7, Patchstack).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to perform unauthorized actions within the plugin's functionality. The impact is considered low severity as it requires authentication and only allows limited privilege escalation (Rapid7).

The vulnerability has been fixed in version 3.2.21 of the VPSUForm plugin. Users are advised to update to this version or later to remove the vulnerability. For users unable to update immediately, no specific workarounds have been provided, but the low severity nature of the vulnerability reduces immediate risk (Patchstack).