WordPress Plugin Vulnerabilities

Qubely <= 1.8.14 - Authenticated (Contributor+) Sensitive Information Exposure

Description

The Qubely – Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.14. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive user or configuration data.

Affects Plugins

Plugin icon
qubely
No known fix

References

CVE
CVE-2025-58249
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/fb0ceb76-08ae-40c6-ad28-d013d40dc223

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abu Hurayra
Verified
No
WPVDB ID
be6b8d94-ad1c-46b3-9e4d-8ddbe593f80c

Timeline

Publicly Published
2025-09-22 (about 7 months ago)
Added
2025-09-26 (about 7 months ago)
Last Updated
2025-09-26 (about 7 months ago)

Other

Published
Title
Published
2024-04-16
Title
HT Mega < 2.4.7 - Unauthenticated Order Data Disclosure
Published
2024-09-24
Title
HT Mega – Absolute Addons For Elementor < 2.6.6 - Authenticated (Contributor+) Sensitive Information Exposure via template_id
Published
2024-05-10
Title
Shopping Cart & eCommerce Store < 5.6.5 - Sensitive Information Exposure
Published
2024-08-14
Title
Newsletters < 4.9.9.1 - Unauthenticated Full Path Disclosure
Published
2024-10-21
Title
TeploBot - Telegram Bot for WP <= 1.3 - Telegram Bot Token Disclosure