Description
Missing Authorization vulnerability in wpWax Legal Pages legal-pages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Legal Pages: from n/a through <= 1.4.6.
Published: 2025-11-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the wpWax Legal Pages plugin that permits incorrect access level configuration to be exploited. An attacker can gain unauthorized access to protected legal page content or settings, potentially modifying or exposing sensitive information. The core weakness is reflected as CWE‑862, indicating a failure to enforce proper privilege checks.

Affected Systems

WordPress sites running the wpWax Legal Pages plugin version 1.4.6 or earlier. The issue spans all installations of this plugin in those versions, regardless of WordPress version.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact risk. The associated EPSS score of less than 1% suggests a low likelihood of exploitation in the current environment. The vulnerability is not listed in CISA KEV. Exploitation requires access to the WordPress site’s web interface; the likely attack vector is an authenticated user with permissions insufficiently checked by the plugin. Based on the description, it is inferred that any authenticated WordPress user may trigger the flaw without additional privilege escalation.

Generated by OpenCVE AI on April 29, 2026 at 19:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the wpWax Legal Pages plugin to a version newer than 1.4.6, if available.
  • If an upgrade is not possible, temporarily disable or remove the plugin from the site.
  • Review and tighten WordPress role permissions to ensure only administrators can access legal page settings, mitigating the access control failure.

Generated by OpenCVE AI on April 29, 2026 at 19:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Thu, 22 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpwax
Wpwax legal Pages
Vendors & Products Wordpress
Wordpress wordpress
Wpwax
Wpwax legal Pages

Fri, 21 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Fri, 21 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in wpWax Legal Pages legal-pages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Legal Pages: from n/a through <= 1.4.6.
Title WordPress Legal Pages plugin <= 1.4.6 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
Wpwax Legal Pages
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:16.240Z

Reserved: 2025-11-21T11:20:58.862Z

Link: CVE-2025-66077

cve-icon Vulnrichment

Updated: 2025-11-21T21:47:16.087Z

cve-icon NVD

Status : Deferred

Published: 2025-11-21T13:15:48.680

Modified: 2026-04-27T18:16:33.793

Link: CVE-2025-66077

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T20:00:18Z

Weaknesses