The vulnerability identified as CVE-2025-11816 affects the WP Legal Pages WordPress plugin, specifically versions up to and including 3.5.1. This plugin provides automated generation of Privacy Policy and Terms & Conditions pages for WordPress sites. The root cause is a missing authorization (capability) check in the disconnect_account_request() function. This function is responsible for disconnecting the WordPress site from its associated API plan, which is critical for the plugin's operation and potentially for compliance or legal documentation updates. Because the function lacks proper capability verification, unauthenticated attackers can invoke it remotely without any credentials or user interaction. This unauthorized access allows attackers to forcibly disconnect the site from its API plan, effectively modifying the plugin's state without permission. While this does not expose sensitive data or cause denial of service directly, it undermines the integrity of the plugin’s operation and could disrupt automated legal page updates or compliance workflows. The CVSS v3.1 base score is 5.3, reflecting network attack vector, no privileges required, no user interaction, and impact limited to integrity. No patches are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is categorized under CWE-862 (Missing Authorization).

The primary impact of this vulnerability is unauthorized modification of the plugin’s connection state, which can disrupt the site’s ability to maintain up-to-date legal documentation generated via the API. This could lead to compliance risks if legal pages are outdated or missing, potentially exposing organizations to regulatory penalties or legal challenges. While confidentiality and availability are not directly affected, the integrity of the plugin’s functionality is compromised. Attackers could cause administrative confusion or operational disruption by disconnecting the API plan, requiring manual intervention to restore service. For organizations relying heavily on automated legal compliance tools, this could increase operational overhead and risk. The vulnerability’s ease of exploitation (no authentication or user interaction required) increases its threat potential, especially for publicly accessible WordPress sites using this plugin.

1. Immediately update the WP Legal Pages plugin to a version that includes the authorization check once a patch is released. Monitor the vendor’s announcements for patch availability. 2. Until a patch is available, restrict access to the disconnect_account_request() function by implementing web application firewall (WAF) rules that block unauthenticated requests to the relevant endpoints or parameters. 3. Employ WordPress security best practices such as limiting plugin usage to trusted sources and minimizing plugin footprint. 4. Monitor web server logs for suspicious requests targeting the disconnect_account_request() function or unusual API disconnection events. 5. Consider disabling or removing the plugin if it is not critical to operations or if alternative compliant solutions exist. 6. Implement strict role-based access control (RBAC) and ensure that only authorized administrators can perform sensitive plugin operations. 7. Regularly audit plugin permissions and capabilities to detect missing authorization checks proactively.