CVE-2025-30958 is a Missing Authorization vulnerability (CWE-862) identified in onOffice GmbH's onOffice for WP-Websites product. This vulnerability arises due to incorrectly configured access control security levels, allowing users with limited privileges to perform actions or access resources beyond their authorization. The affected product is a WordPress plugin or integration designed to facilitate real estate website management. The vulnerability affects versions up to 5.7, though specific version details are not fully enumerated. The CVSS v3.1 base score is 5.4, indicating a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) shows that the attack can be performed remotely over the network with low attack complexity, requires low privileges (authenticated user), no user interaction, and impacts integrity and availability but not confidentiality. The vulnerability does not require user interaction and does not escalate privileges but allows an authenticated user to perform unauthorized actions or cause denial of service or data integrity issues. No known exploits are currently in the wild, and no patches are linked yet, indicating that mitigation may require vendor updates or configuration changes once available. The root cause is an access control misconfiguration, a common issue where authorization checks are missing or insufficient, allowing privilege escalation or unauthorized operations within the application.

For European organizations using onOffice for WP-Websites, particularly real estate agencies and property management firms, this vulnerability could lead to unauthorized modification or disruption of website content or backend data. Since the vulnerability affects integrity and availability, attackers with low-level authenticated access could alter listings, disrupt service availability, or manipulate data, potentially damaging business reputation and causing operational downtime. Confidential customer data is not directly impacted, but integrity issues could indirectly affect trust and compliance with data protection regulations like GDPR. The medium severity suggests a moderate risk, but exploitation could be more impactful in organizations relying heavily on the affected plugin for critical business functions. Additionally, the remote network attack vector means attackers could exploit this vulnerability from outside the organization if user credentials are compromised or weak, increasing the threat surface.

Organizations should immediately audit user roles and permissions within onOffice for WP-Websites to ensure minimal privilege principles are enforced. Restrict access to the plugin’s administrative functions to trusted users only. Monitor logs for unusual activities indicative of unauthorized access or modifications. Since no patches are currently linked, coordinate with onOffice GmbH for timely updates or security advisories. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the plugin endpoints. Employ multi-factor authentication (MFA) for all users with access to the WordPress backend to reduce the risk of credential compromise. Regularly back up website data and configurations to enable quick recovery in case of integrity or availability attacks. Finally, consider isolating the WordPress environment or limiting network exposure to reduce attack surface.