Executive Summary

CVE-2025-67967 is a Broken Access Control vulnerability in the WordPress Lawyer Directory Plugin versions up to 1.3.3. It occurs due to missing authorization, authentication, or nonce token checks in certain plugin functions, allowing users with low privileges (such as subscribers) to perform actions that should be restricted to higher-privileged roles. This means unauthorized users can gain access or control beyond their intended permissions. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access or control within the Lawyer Directory Plugin, allowing low-privileged users to perform privileged actions. This poses a significant security risk as attackers could manipulate or access sensitive data or functionality they should not have access to. The vulnerability has a high CVSS score of 7.6, indicating a high likelihood of exploitation and serious impact if not patched promptly. [1]

Useful 0 Not Useful 0

Detection Guidance

Detection involves monitoring for exploitation attempts where subscriber-level users perform actions reserved for higher-privileged roles within the Lawyer Directory Plugin (versions ≤1.3.3). Since the vulnerability allows unauthorized access via missing authorization checks, you can audit plugin logs for unusual privilege escalations or unauthorized actions. Additionally, using Patchstack's automatic mitigation rule can help detect and block exploitation attempts. Specific commands are not provided in the resources. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediately update the WordPress Lawyer Directory Plugin to version 1.3.4 or later, which fixes the access control flaws. Until the update is applied, enable Patchstack's automatic mitigation rule to block exploitation attempts. If using Patchstack, enable auto-updates for vulnerable plugins to ensure rapid protection. [1]

Useful 0 Not Useful 0