CVE-2025-58986: 
WordPress vulnerability analysis and mitigation

The Jock On Air Now (JOAN) WordPress plugin contains a missing authorization vulnerability (CVE-2025-58986) in versions up to and including 6.0.4. The vulnerability was discovered by Legion Hunter and publicly disclosed on October 2, 2025. This security issue affects WordPress installations with the JOAN plugin installed (Rapid7, Patchstack).

The vulnerability is classified as a Broken Access Control issue with a CVSS score of 6.5 (Medium severity). The security flaw stems from a missing capability check on a function, which allows authenticated users with Subscriber-level privileges or higher to perform unauthorized actions (Patchstack).

The vulnerability enables authenticated attackers with Subscriber-level access or higher to execute actions that should be restricted to users with higher privilege levels. This broken access control could potentially lead to unauthorized modifications or access to protected functionality within the WordPress installation (Rapid7).

The vulnerability has been patched in version 6.0.5 of the JOAN plugin. Site administrators are advised to update to version 6.0.5 or later immediately. For users of Patchstack, a virtual patch has been issued to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).