CVE-2025-58978: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in WP Swings PDF Generator for WordPress plugin versions through 1.5.4. The vulnerability was discovered by Tran Hoang Tuan Kiet and was officially published on September 9, 2025. The security issue relates to incorrectly configured access control security levels in the WordPress plugin (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS 3.1 base score of 5.3 (Medium). The vulnerability vector is described as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed. The vulnerability primarily affects confidentiality with low impact (Patchstack).

The vulnerability stems from a missing authorization, authentication, or nonce token check in a function that could allow an unprivileged user to execute certain higher privileged actions. The security issue has been assessed to have a low severity impact and is considered unlikely to be exploited (Patchstack).

The vulnerability has been fixed in version 1.5.5 of the PDF Generator for WordPress plugin. Users are advised to update to version 1.5.5 or later to remove the vulnerability. Patchstack users have the option to enable auto-update for vulnerable plugins (Patchstack).