CVE-2025-58980 is a Missing Authorization vulnerability (CWE-862) identified in the WordPress plugin 'Export WP Page to Static HTML/CSS' developed by recorp. This vulnerability affects versions up to 4.1.0 and allows unauthorized users to access functionality that should be restricted by Access Control Lists (ACLs). Specifically, the flaw arises because the plugin does not properly enforce authorization checks before allowing access to certain export functionalities. The CVSS 3.1 base score is 5.3 (medium severity), with the vector indicating that the vulnerability can be exploited remotely (AV:N) with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is limited to confidentiality (C:L), with no impact on integrity or availability. This means an attacker can potentially obtain information or data that should be protected by authorization controls, but cannot modify or disrupt the system. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on September 9, 2025, and was reserved a few days earlier. The plugin is used to export WordPress pages into static HTML/CSS, a functionality often used to improve site performance or security by serving static content. However, the missing authorization check could allow an unauthenticated attacker to export content that might otherwise be restricted, potentially exposing sensitive or private website data.

For European organizations using the 'Export WP Page to Static HTML/CSS' plugin, this vulnerability could lead to unauthorized disclosure of website content. This is particularly concerning for organizations hosting sensitive or regulated information on their WordPress sites, such as government agencies, healthcare providers, financial institutions, and enterprises subject to GDPR compliance. Exposure of confidential content could lead to reputational damage, regulatory penalties, and loss of customer trust. Although the vulnerability does not allow modification or disruption of services, the unauthorized data access could facilitate further reconnaissance by attackers, potentially leading to more severe attacks. Given the plugin's role in exporting site content, attackers might extract proprietary information, internal documents, or user data embedded in pages. The medium severity rating reflects a moderate risk, but the lack of required privileges and user interaction increases the likelihood of exploitation if the plugin is in use and accessible.

European organizations should immediately audit their WordPress installations to identify the presence of the 'Export WP Page to Static HTML/CSS' plugin, especially versions up to 4.1.0. Until an official patch is released, organizations should consider disabling or uninstalling the plugin to eliminate exposure. If the plugin is critical for operations, restrict access to the WordPress admin interface and plugin functionalities via network-level controls such as IP whitelisting or VPN access. Implement Web Application Firewall (WAF) rules to detect and block unauthorized requests attempting to access export functions. Additionally, review and tighten WordPress user roles and permissions to ensure that only trusted users have administrative access. Monitor web server logs for unusual export activity or unauthorized access attempts. Once a patch becomes available, prioritize timely application of updates. Finally, conduct a content audit to identify any sensitive information that may have been exposed and take appropriate incident response actions if necessary.