CVE-2025-58963: 
WordPress vulnerability analysis and mitigation

CVE-2025-58963 is an Unrestricted Upload of File with Dangerous Type vulnerability discovered in the 7oroof Medcity WordPress theme. The vulnerability affects versions prior to 1.1.9 and was disclosed on October 22, 2025. This security flaw allows attackers to upload a web shell to a web server (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) (AttackerKB, NVD).

The vulnerability allows attackers to upload malicious files (web shells) to the target web server, potentially leading to complete system compromise. With a CVSS score of 9.8, the impact is considered critical, affecting all three security properties: confidentiality, integrity, and availability at their highest levels (NVD).

Users are advised to upgrade their Medcity WordPress theme to version 1.1.9 or later to address this vulnerability (Patchstack).