Description
Missing Authorization vulnerability in Ronald Huereca Highlight and Share highlight-and-share allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Highlight and Share: from n/a through <= 5.2.0.
Published: 2025-12-09
Score: 4.7 Medium
EPSS: 1.7% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a missing authorization flaw that can allow an attacker to bypass the intended access controls of the Highlight and Share plugin. By exploiting incorrectly configured security levels, a user who is not normally permitted can gain access to functionalities or data that should be restricted. The weakness is registered as CWE‑862, indicating that the system fails to enforce appropriate privilege checks, potentially impacting confidentiality and integrity of plugin data and actions.

Affected Systems

The vulnerability affects the Highlight and Share WordPress plugin developed by Ronald Huereca, including all released versions up to and including 5.2.0. Users with installations of these versions are susceptible unless they have applied a later fix or otherwise restricted plugin access.

Risk and Exploitability

The CVSS score of 4.7 places this issue in the moderate risk range, while the EPSS score of 2% suggests a modest likelihood of exploitation in the wild. It is not currently listed in the CISA KEV catalog. The likely attack vector is through a web request to the plugin’s endpoints, which an attacker can manipulate to override normal access checks. Successful exploitation would allow the attacker to read or modify plugin data that is otherwise protected.

Generated by OpenCVE AI on April 29, 2026 at 19:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Highlight and Share to the latest version (greater than 5.2.0).
  • If an upgrade is not possible, remove all non-admin roles that have access to the plugin and restrict usage to trusted administrators only.
  • Revoke any unnecessary permissions by editing the plugin’s role settings or using a role‑management plugin.

Generated by OpenCVE AI on April 29, 2026 at 19:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Ronald Huereca
Ronald Huereca highlight And Share
Wordpress
Wordpress wordpress
Vendors & Products Ronald Huereca
Ronald Huereca highlight And Share
Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Ronald Huereca Highlight and Share highlight-and-share allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Highlight and Share: from n/a through <= 5.2.0.
Title WordPress Highlight and Share plugin <= 5.2.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Ronald Huereca Highlight And Share
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:21.967Z

Reserved: 2025-12-09T12:21:39.680Z

Link: CVE-2025-67586

cve-icon Vulnrichment

Updated: 2025-12-09T20:54:07.349Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:36.527

Modified: 2026-04-27T18:16:44.833

Link: CVE-2025-67586

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T19:45:18Z

Weaknesses