CVE-2025-67966
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-22

Last updated on: 2026-01-29

Assigner: Patchstack

Description
Incorrect Privilege Assignment vulnerability in e-plugins Lawyer Directory lawyer-directory allows Privilege Escalation.This issue affects Lawyer Directory: from n/a through <= 1.3.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-01-29
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67966
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
patchstack lawyer_directory to 1.3.3 (inc)
patchstack lawyer_directory 1.3.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability affects WordPress sites using the Lawyer Directory Plugin version 1.3.3 or earlier. Detection involves checking the installed plugin version to see if it is vulnerable. You can detect the presence of the vulnerable plugin and its version by running commands that list WordPress plugins and their versions, such as using WP-CLI: `wp plugin list --format=json` and inspecting the output for 'lawyer-directory' with version <= 1.3.3. Additionally, monitoring for unusual privilege escalations or unauthorized administrative access attempts may indicate exploitation. Patchstack provides mitigation rules that can be enabled to block attacks targeting this vulnerability. However, no specific detection commands for network traffic or exploit attempts are provided in the resources. [1]

Executive Summary

CVE-2025-67966 is a high-priority privilege escalation vulnerability in the WordPress Lawyer Directory Plugin (versions up to 1.3.3). It allows a malicious user with a low-privileged account (like subscriber or developer) to escalate their privileges to a higher level, potentially gaining full control over the affected website. This means attackers can bypass normal privilege restrictions and obtain administrative or other high-level access. [1]

Impact Analysis

This vulnerability can severely impact you by allowing attackers with low-level access to escalate their privileges and take over your entire WordPress site. This could lead to unauthorized changes, data theft, site defacement, or complete loss of control over your website. It poses a highly dangerous risk with a CVSS score of 8.8, indicating it is likely to be exploited if not patched. [1]

Mitigation Strategies

To mitigate this vulnerability immediately, update the Lawyer Directory Plugin to version 1.3.4 or later. Until the update can be applied, use the Patchstack mitigation rule that blocks attacks targeting this vulnerability. Additionally, if you are a Patchstack user, enable auto-updates specifically for vulnerable plugins to ensure ongoing protection. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67966. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart