{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11816", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-15T16:49:42.300Z", "datePublished": "2025-11-01T01:47:40.230Z", "dateUpdated": "2026-04-08T16:41:21.776Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:21.776Z"}, "affected": [{"vendor": "wplegalpages", "product": "Privacy Policy Generator \u2013 WPLP Legal Pages", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.5.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disconnect_account_request() function in all versions up to, and including, 3.5.1. This makes it possible for unauthenticated attackers to disconnect the site from its API plan."}], "title": "Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages <= 3.5.1 - Missing Authorization to Unauthenticated API Disconnect", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2116340a-160f-493c-abe3-75b05282d78a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wplegalpages/tags/3.5.1/admin/class-wp-legal-pages-admin.php#L114"}, {"url": "https://plugins.trac.wordpress.org/browser/wplegalpages/tags/3.5.1/admin/class-wp-legal-pages-admin.php#L138"}, {"url": "https://plugins.trac.wordpress.org/changeset/3385159/wplegalpages/trunk?contextall=1&old=3375554&old_path=%2Fwplegalpages%2Ftrunk"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "timeline": [{"time": "2025-10-31T13:45:14.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-03T18:57:38.816300Z", "id": "CVE-2025-11816", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-03T18:57:46.543Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11816", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-03T18:57:38.816300Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-03T18:57:43.331Z"}}], "cna": {"title": "Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages <= 3.5.1 - Missing Authorization to Unauthenticated API Disconnect", "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wplegalpages", "product": "Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.5.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-31T13:45:14.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2116340a-160f-493c-abe3-75b05282d78a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wplegalpages/tags/3.5.1/admin/class-wp-legal-pages-admin.php#L114"}, {"url": "https://plugins.trac.wordpress.org/browser/wplegalpages/tags/3.5.1/admin/class-wp-legal-pages-admin.php#L138"}, {"url": "https://plugins.trac.wordpress.org/changeset/3385159/wplegalpages/trunk?contextall=1&old=3375554&old_path=%2Fwplegalpages%2Ftrunk"}], "descriptions": [{"lang": "en", "value": "The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disconnect_account_request() function in all versions up to, and including, 3.5.1. This makes it possible for unauthenticated attackers to disconnect the site from its API plan."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-01T01:47:40.667Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11816", "state": "PUBLISHED", "dateUpdated": "2025-11-03T18:57:46.543Z", "dateReserved": "2025-10-15T16:49:42.300Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-01T01:47:40.230Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disconnect_account_request() function in all versions up to, and including, 3.5.1. This makes it possible for unauthenticated attackers to disconnect the site from its API plan."}], "id": "CVE-2025-11816", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-01T02:15:32.843", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wplegalpages/tags/3.5.1/admin/class-wp-legal-pages-admin.php#L114"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wplegalpages/tags/3.5.1/admin/class-wp-legal-pages-admin.php#L138"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3385159/wplegalpages/trunk?contextall=1&old=3375554&old_path=%2Fwplegalpages%2Ftrunk"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2116340a-160f-493c-abe3-75b05282d78a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:38:59.003411+00:00", "value": {"mitigation_remediation": ["Update the WP Legal Pages plugin to the latest version, which removes the missing capability check and resolves the issue.", "If an immediate update is not possible, disable the disconnect functionality by removing or restricting the disconnect endpoint from the plugin\u2019s admin interface or temporarily deactivating the plugin.", "Apply a temporary code patch that restores a capability check to the disconnect_account_request() function so that only authorized users can trigger it.", "Monitor site logs for unexpected disconnect events and set alerts to detect unauthorized use."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized API disconnect via missing authorization check"}, "threat_synthesis": {"affected_systems": "All releases of the WP Legal Pages plugin up to and including version 3.5.1 are affected. The vulnerability exists in every affected installation on a WordPress site where the plugin is active.", "description_and_impact": "The WP Legal Pages plugin for WordPress includes a disconnect_account_request() function that lacks a capability check (CWE-862). This flaw allows unauthenticated callers to invoke the API disconnect endpoint and force the site to disconnect from its external API plan, modifying connection state without any authentication or administrative privileges. The resulting impact is a loss of the active API plan and potential disruption of dependent services, but does not grant further access to site data or control.", "risk_and_exploitability": "The CVSS score of 5.3 places the flaw in the medium severity range. The EPSS score is reported as < 1%, indicating a very low predicted exploitation probability, and the issue is not listed in the CISA KEV catalog. The likely attack vector is sending an unauthenticated request to the disconnect endpoint from any network location, as authentication is not required. Based on the description, it is inferred that the impact is limited to loss of the active API plan association and potential service disruption, with no additional privileges or data exposure."}}}}, "created": "2025-11-03T10:43:40.167403+00:00", "updated": "2026-04-28T18:45:15.975892+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wplegalpages", "wplegalpages$PRODUCT$wp_legal_pages"]}