CVE-2025-58877 - Vulnerability Details

- WordPress Javo Core plugin <= 3.0.0.529 - Arbitrary Content Deletion vulnerability

Description

Missing Authorization vulnerability in javothemes Javo Core javo-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Javo Core: from n/a through <= 3.0.0.529.

Published: 2025-12-18

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Javo Core for WordPress contains a missing authorization flaw that allows a user to delete arbitrary content. The plugin’s delete functionality is not properly restricted, giving an attacker the ability to remove posts, pages, or other content that they should not be able to modify. This lack of proper access control is the weakness underlying CWE-862. Based on the description, it is inferred that an attacker who can authenticate to the WordPress site—using a compromised or low‑privilege account—could invoke this flaw to delete content and cause data loss or site instability.

Affected Systems

Javo Core plugin by javothemes is vulnerable in all releases from the initial version up through 3.0.0.529. WordPress sites that run any of these affected plugin versions are at risk.

Risk and Exploitability

The CVSS score of 7.5 marks the vulnerability as high severity, while the EPSS score of less than 1% indicates a low probability of exploitation. The flaw is not listed in the CISA KEV catalog. Exploitation would most likely target users who have authenticated to the platform but lack appropriate deletion permissions, and the attack would use the plugin’s delete capability to remove content. No public exploit has been documented as of the current data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

javothemes

Javo Core

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.0.0.529

No data.

Vendor	Product	Confidence	Versions
Javothemes	Javo Core	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Javo Core to a version newer than 3.0.0.529 or apply the vendor‑supplied patch that fixes the missing authorization issue.
Reconfigure WordPress role permissions so that only administrator accounts retain delete capabilities for the plugin’s content.
Disable or monitor the plugin’s delete endpoints (e.g., by blocking DELETE or related requests) until the fix is applied.

Generated by OpenCVE AI on April 29, 2026 at 22:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00076.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/javo-core/vulnerability/wordpress-javo-core-plugin-3-0-0-529-arbitrary-content-deletion-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Tue, 20 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
References	https://vdp.patchstack.com/database/Wordpress/Plugin/javo-core/vulnerability/wordpress-javo-core-plugin-3-0-0-529-arbitrary-content-deletion-vulnerability?_s_id=cve

Tue, 20 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
References		https://patchstack.com/database/Wordpress/Plugin/javo-core/vulnerability/wordpress-javo-core-plugin-3-0-0-529-arbitrary-content-deletion-vulnerability?_s_id=cve

Fri, 19 Dec 2025 09:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Javothemes Javothemes javo Core Wordpress Wordpress wordpress
Vendors & Products		Javothemes Javothemes javo Core Wordpress Wordpress wordpress

Thu, 18 Dec 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 18 Dec 2025 07:45:00 +0000

Type	Values Removed	Values Added
Description		Missing Authorization vulnerability in javothemes Javo Core javo-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Javo Core: from n/a through <= 3.0.0.529.
Title		WordPress Javo Core plugin <= 3.0.0.529 - Arbitrary Content Deletion vulnerability
Weaknesses		CWE-862
References		https://vdp.patchstack.com/database/Wordpress/Plugin/javo-core/vulnerability/wordpress-javo-core-plugin-3-0-0-529-arbitrary-content-deletion-vulnerability?_s_id=cve

Subscriptions

Javothemes Javo Core

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-12-18T07:21:52.039Z

Updated: 2026-04-28T16:13:48.947Z

Reserved: 2025-09-05T10:50:17.982Z

Link: CVE-2025-58877

Vulnrichment

Updated: 2025-12-18T18:13:30.822Z

NVD

Status : Deferred

Published: 2025-12-18T08:15:57.510

Modified: 2026-04-27T19:16:15.243

Link: CVE-2025-58877

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-29T22:45:06Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object