CVE-2025-58678 is a Missing Authorization vulnerability classified under CWE-862 affecting the PickPlugins Accordion product, up to version 2.3.14. This vulnerability arises from incorrectly configured access control security levels, allowing users with limited privileges (requiring at least some level of authentication) to access or perform actions that should be restricted. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N), with low attack complexity (AC:L). The CVSS v3.1 base score is 6.5, indicating a medium severity level. The impact primarily affects confidentiality, as the vulnerability allows unauthorized access to sensitive information, but does not affect integrity or availability. Since no patches or exploits in the wild are currently reported, this vulnerability represents a significant risk if left unmitigated, especially in environments where sensitive data is handled via the Accordion plugin. The lack of authorization checks could allow an authenticated but lower-privileged user to access data or functionality beyond their permissions, potentially leading to data leakage or exposure of sensitive content managed by the plugin.

For European organizations, particularly those using WordPress or other CMS platforms with the PickPlugins Accordion plugin, this vulnerability could lead to unauthorized disclosure of sensitive information. This is especially critical for organizations handling personal data under GDPR regulations, where unauthorized data exposure can result in regulatory penalties and reputational damage. The vulnerability could be exploited by internal threat actors or external attackers who have obtained limited credentials, allowing them to escalate their access without requiring user interaction. This could compromise confidentiality of business-critical or personal data, impacting sectors such as finance, healthcare, education, and government agencies. The medium severity rating suggests that while the vulnerability is not immediately critical, it poses a tangible risk that could be leveraged in targeted attacks or combined with other vulnerabilities for greater impact.

European organizations should immediately audit their use of the PickPlugins Accordion plugin, verifying the version in use and whether it is affected (up to 2.3.14). Since no official patch links are currently available, organizations should consider the following specific mitigations: 1) Restrict access to the plugin’s administrative and configuration interfaces strictly to trusted and highly privileged users; 2) Implement additional access control mechanisms at the web server or application firewall level to block unauthorized requests targeting the Accordion plugin endpoints; 3) Monitor logs for unusual access patterns or attempts to access restricted Accordion functionality; 4) If feasible, temporarily disable or replace the Accordion plugin until a vendor patch is released; 5) Educate administrators and users about the risk of privilege escalation through this plugin and enforce strong authentication and session management policies; 6) Keep abreast of vendor announcements and apply patches promptly once available.