CVE-2025-67974 in WPLegalPages Plugin
Summary
by MITRE • 02/20/2026
Missing Authorization vulnerability in WP Legal Pages WPLegalPages wplegalpages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPLegalPages: from n/a through <= 3.5.4.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/22/2026
The vulnerability identified as CVE-2025-67974 represents a critical missing authorization flaw within the WP Legal Pages plugin for WordPress systems. This security weakness manifests as an incorrectly configured access control mechanism that permits unauthorized users to exploit administrative functions typically restricted to privileged personnel. The vulnerability exists in versions of the WPLegalPages plugin ranging from the initial release through version 3.5.4, indicating a widespread exposure across multiple iterations of the software. The affected plugin, which is designed to help website administrators generate legal documents such as privacy policies and terms of service, has been configured in a manner that fails to properly validate user permissions before executing sensitive operations.
The technical implementation of this vulnerability stems from inadequate input validation and access control checks within the plugin's codebase. When users attempt to perform administrative tasks through the plugin's interface, the system does not sufficiently verify whether the requesting user possesses the necessary privileges to execute such operations. This misconfiguration creates a pathway for attackers to escalate their privileges or access restricted functionality without proper authentication. The flaw operates at the application level and can be exploited through various attack vectors including direct API calls, parameter manipulation, or session hijacking techniques. According to CWE classification, this vulnerability maps to CWE-285, which specifically addresses improper authorization within software systems, making it a direct implementation of weak access control mechanisms.
The operational impact of CVE-2025-67974 extends beyond simple unauthorized access, potentially enabling attackers to modify legal documents, alter plugin configurations, or even gain complete control over the affected WordPress installation. This vulnerability aligns with ATT&CK technique T1078 which covers legitimate credentials and privilege escalation, as attackers can exploit the missing authorization controls to assume administrative roles. The consequences include potential data breaches, content manipulation, and the ability to install malicious plugins or backdoors. Organizations using affected versions of WPLegalPages face significant risk of compromise, particularly in environments where the plugin is used to manage sensitive legal documentation or where administrative access is not properly segmented from regular user access.
Mitigation strategies for this vulnerability must address both immediate remediation and long-term security enhancements. The most effective immediate solution involves upgrading to the latest version of the WPLegalPages plugin where the authorization checks have been properly implemented and validated. System administrators should also conduct thorough access control reviews to ensure that all plugin functionalities are appropriately restricted to authorized users only. Additional protective measures include implementing network segmentation, monitoring for unauthorized access attempts, and conducting regular security audits of installed plugins. The vulnerability demonstrates the importance of proper input validation and access control implementation as outlined in security frameworks such as the OWASP Top Ten, where insufficient logging and monitoring of access attempts could compound the risk of exploitation. Organizations should also consider implementing web application firewalls to detect and prevent exploitation attempts targeting known vulnerabilities in WordPress plugins.