CVE-2025-58996: 
WordPress vulnerability analysis and mitigation

The vulnerability identified as CVE-2025-58996 affects the Advanced Settings WordPress plugin versions 3.1.1 and below. This security issue was discovered and reported by researcher R1sky on September 23, 2025, and was publicly disclosed on September 24, 2025. The vulnerability affects the file upload functionality in the WordPress Advanced Settings plugin (Patchstack VDP).

The vulnerability is classified as an Arbitrary File Upload issue with a CVSS score of 9.1, indicating a critical severity level. It falls under the OWASP Top 10 category A5: Security Misconfiguration. The vulnerability requires Author-level privileges or higher to be exploited (Patchstack VDP).

This vulnerability could allow an authenticated attacker with Author-level privileges to upload arbitrary files to the affected WordPress website. The potential impact includes the ability to upload malicious files, including backdoors, which could be executed to gain further access to the website (Patchstack VDP).

The vulnerability has been patched in version 3.2.0 of the Advanced Settings plugin. Users are advised to update to version 3.2.0 or later immediately. Additionally, Patchstack has issued a mitigation rule to block any attacks until users can update to a fixed version (Patchstack VDP).