The vulnerability identified as CVE-2025-11816 affects the WP Legal Pages WordPress plugin, specifically versions up to and including 3.5.1. This plugin is used to generate Privacy Policy and Terms & Conditions pages for WordPress websites. The core issue is a missing authorization check (CWE-862) in the disconnect_account_request() function, which is responsible for disconnecting the site from its associated API plan. Due to the lack of capability verification, an unauthenticated attacker can invoke this function remotely without any credentials or user interaction, causing the site to lose its connection to the API plan. This unauthorized modification does not expose confidential data or cause denial of service but can disrupt the plugin’s intended operation, potentially impacting the site's legal compliance documentation management. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the ease of exploitation (network vector, no privileges required) but limited impact on confidentiality and availability. No patches or official fixes have been published at the time of disclosure, and no known exploits have been reported in the wild. The vulnerability requires immediate attention from site administrators using this plugin to prevent unauthorized disconnection from the API, which could lead to compliance risks or degraded site functionality related to legal pages.

For European organizations, this vulnerability poses a risk primarily to the integrity of site management functions related to legal compliance documentation. Unauthorized disconnection from the API plan could disable or impair automated updates or management of Privacy Policy and Terms & Conditions pages, potentially leading to outdated or non-compliant legal notices on websites. This could result in regulatory scrutiny or penalties under GDPR and other European data protection laws. While the vulnerability does not directly compromise user data confidentiality or site availability, the disruption of legal page management can have indirect reputational and compliance impacts. Organizations relying on WP Legal Pages for maintaining up-to-date legal documents on their websites are particularly vulnerable. The ease of exploitation without authentication means attackers can target multiple sites at scale, increasing the risk of widespread disruption. European companies with strong regulatory oversight and high web presence are at greater risk of operational and compliance impacts.

Since no official patch is currently available, European organizations should implement immediate compensating controls. These include restricting access to the disconnect_account_request() function by implementing custom authorization checks or firewall rules to block unauthenticated requests targeting this endpoint. Administrators should audit web server and plugin logs for suspicious requests attempting to invoke this function. Disabling or temporarily removing the WP Legal Pages plugin until a patch is released is advisable for high-risk environments. Additionally, organizations should monitor updates from the plugin vendor and apply patches promptly once available. Employing Web Application Firewalls (WAFs) with custom rules to detect and block exploitation attempts can provide an additional layer of defense. Finally, organizations should review their legal page management processes to ensure manual oversight in case automated API connections are disrupted.