Description
The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disconnect_account_request() function in all versions up to, and including, 3.5.1. This makes it possible for unauthenticated attackers to disconnect the site from its API plan.
Published: 2025-11-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized API disconnect via missing authorization check
Action: Immediate Patch
AI Analysis

Impact

The WP Legal Pages plugin for WordPress includes a disconnect_account_request() function that lacks a capability check (CWE-862). This flaw allows unauthenticated callers to invoke the API disconnect endpoint and force the site to disconnect from its external API plan, modifying connection state without any authentication or administrative privileges. The resulting impact is a loss of the active API plan and potential disruption of dependent services, but does not grant further access to site data or control.

Affected Systems

All releases of the WP Legal Pages plugin up to and including version 3.5.1 are affected. The vulnerability exists in every affected installation on a WordPress site where the plugin is active.

Risk and Exploitability

The CVSS score of 5.3 places the flaw in the medium severity range. The EPSS score is reported as < 1%, indicating a very low predicted exploitation probability, and the issue is not listed in the CISA KEV catalog. The likely attack vector is sending an unauthenticated request to the disconnect endpoint from any network location, as authentication is not required. Based on the description, it is inferred that the impact is limited to loss of the active API plan association and potential service disruption, with no additional privileges or data exposure.

Generated by OpenCVE AI on April 28, 2026 at 18:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Legal Pages plugin to the latest version, which removes the missing capability check and resolves the issue.
  • If an immediate update is not possible, disable the disconnect functionality by removing or restricting the disconnect endpoint from the plugin’s admin interface or temporarily deactivating the plugin.
  • Apply a temporary code patch that restores a capability check to the disconnect_account_request() function so that only authorized users can trigger it.
  • Monitor site logs for unexpected disconnect events and set alerts to detect unauthorized use.

Generated by OpenCVE AI on April 28, 2026 at 18:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 03 Nov 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wplegalpages
Wplegalpages wp Legal Pages
Vendors & Products Wordpress
Wordpress wordpress
Wplegalpages
Wplegalpages wp Legal Pages

Sat, 01 Nov 2025 02:00:00 +0000

Type Values Removed Values Added
Description The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disconnect_account_request() function in all versions up to, and including, 3.5.1. This makes it possible for unauthenticated attackers to disconnect the site from its API plan.
Title Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages <= 3.5.1 - Missing Authorization to Unauthenticated API Disconnect
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wplegalpages Wp Legal Pages
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:41:21.776Z

Reserved: 2025-10-15T16:49:42.300Z

Link: CVE-2025-11816

cve-icon Vulnrichment

Updated: 2025-11-03T18:57:43.331Z

cve-icon NVD

Status : Deferred

Published: 2025-11-01T02:15:32.843

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11816

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:45:15Z

Weaknesses