← Back
2025-11-01 1:47CVE-2025-11816Wordfence
PUBLISHED5.2CWE-862

Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages <= 3.5.1 - Missing Authorization to Unauthenticated API Disconnect

The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disconnect_account_request() function in all versions up to, and including, 3.5.1. This makes it possible for unauthenticated attackers to disconnect the site from its API plan.

Problem type

Affected products

wplegalpages

Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages

<= 3.5.1 - AFFECTED

References

wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/2116340a-160f-493c-abe3-75b05282d78a?source=cve

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/browser/wplegalpages/tags/3.5.1/admin/class-wp-legal-pages-admin.php#L114

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/browser/wplegalpages/tags/3.5.1/admin/class-wp-legal-pages-admin.php#L138

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/changeset/3385159/wplegalpages/trunk?contextall=1&old=3375554&old_path=%2Fwplegalpages%2Ftrunk

GitHub Security Advisories

GHSA-4jmj-6pw4-g738

The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages...

https://github.com/advisories/GHSA-4jmj-6pw4-g738

The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disconnect_account_request() function in all versions up to, and including, 3.5.1. This makes it possible for unauthenticated attackers to disconnect the site from its API plan.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2025-11816

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/browser/wplegalpages/tags/3.5.1/admin/class-wp-legal-pages-admin.php#L114

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/browser/wplegalpages/tags/3.5.1/admin/class-wp-legal-pages-admin.php#L138

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/changeset/3385159/wplegalpages/trunk?contextall=1&old=3375554&old_path=%2Fwplegalpages%2Ftrunk

wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/2116340a-160f-493c-abe3-75b05282d78a?source=cve

github.com

https://github.com/advisories/GHSA-4jmj-6pw4-g738

JSON source

Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2025-11816",
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "dateUpdated": "2025-11-01T01:47:40.667Z",
    "dateReserved": "2025-10-15T16:49:42.300Z",
    "datePublished": "2025-11-01T01:47:40.230Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence",
        "dateUpdated": "2025-11-01T01:47:40.667Z"
      },
      "title": "Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages <= 3.5.1 - Missing Authorization to Unauthenticated API Disconnect",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disconnect_account_request() function in all versions up to, and including, 3.5.1. This makes it possible for unauthenticated attackers to disconnect the site from its API plan."
        }
      ],
      "affected": [
        {
          "vendor": "wplegalpages",
          "product": "Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "*",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "3.5.1"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-862 Missing Authorization",
              "cweId": "CWE-862",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2116340a-160f-493c-abe3-75b05282d78a?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wplegalpages/tags/3.5.1/admin/class-wp-legal-pages-admin.php#L114"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wplegalpages/tags/3.5.1/admin/class-wp-legal-pages-admin.php#L138"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3385159/wplegalpages/trunk?contextall=1&old=3375554&old_path=%2Fwplegalpages%2Ftrunk"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM"
          }
        }
      ],
      "timeline": [
        {
          "time": "2025-10-31T13:45:14.000+00:00",
          "lang": "en",
          "value": "Disclosed"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Rafshanzani Suhada",
          "type": "finder"
        }
      ]
    }
  }
}

Mitre source

https://cveawg.mitre.org/api/cve/CVE-2025-11816