CVE-2025-67974
Awaiting Analysis Awaiting Analysis - Queue
Missing Authorization in WP Legal Pages Allows Unauthorized Access

Publication date: 2026-02-20

Last updated on: 2026-04-27

Assigner: Patchstack

Description
Missing Authorization vulnerability in WP Legal Pages WPLegalPages wplegalpages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPLegalPages: from n/a through <= 3.5.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-14
NVD
CVE-2025-67974
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack wplegalpages to 3.5.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-67974 is a high-priority Broken Access Control vulnerability in the WordPress WPLegalPages plugin versions up to and including 3.5.4.

The issue arises from missing authorization, authentication, or nonce token checks within certain plugin functions, which allows unauthenticated users to perform actions that should be restricted to higher-privileged users.

This means that attackers do not need any privileges to exploit this vulnerability, making it particularly dangerous for sites using the affected plugin.

Impact Analysis

This vulnerability can allow unauthorized users to perform privileged actions on a WordPress site using the vulnerable WPLegalPages plugin.

Because no authentication is required to exploit this issue, attackers can potentially manipulate or access sensitive legal page content or settings that should be restricted.

Such unauthorized access can lead to site misconfiguration, data exposure, or other security breaches, posing a significant security risk.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking if your WordPress site is running the WPLegalPages plugin version 3.5.4 or earlier, as these versions are affected by missing authorization checks.

To detect exploitation attempts or presence of the vulnerability, monitoring web server logs for unauthorized access attempts to WPLegalPages plugin functions may help.

Specific commands are not provided in the available resources, but you can use commands to check the installed plugin version, for example:

  • Using WP-CLI: wp plugin list | grep wplegalpages
  • Checking plugin version in the WordPress admin dashboard under Plugins.

Additionally, network monitoring tools or web application firewalls (WAF) with rules targeting this vulnerability (such as those provided by Patchstack) can help detect exploitation attempts.

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary immediate mitigation step is to update the WPLegalPages plugin to version 3.5.5 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'Until you can update, applying the mitigation rule provided by Patchstack to block attacks targeting this vulnerability is recommended.'}, {'type': 'paragraph', 'content': "Using Patchstack's automatic update feature for vulnerable plugins can also ensure rapid protection."}, {'type': 'paragraph', 'content': "Since the vulnerability requires no privileges to exploit, restricting access to the plugin's functions via additional access control or web application firewall rules can reduce risk."}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67974. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart