CVE-2025-48242: CWE-862 Missing Authorization in wpWax Legal Pages
Missing Authorization vulnerability in wpWax Legal Pages allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Legal Pages: from n/a through 1.4.5.
AI Analysis
Technical Summary
CVE-2025-48242 is a Missing Authorization vulnerability (CWE-862) identified in the wpWax Legal Pages plugin, affecting versions up to 1.4.5. This vulnerability arises due to incorrectly configured access control mechanisms, allowing users with limited privileges (PR:L - Privileges Required: Low) to access or perform actions that should be restricted. The vulnerability does not require user interaction (UI:N) and can be exploited remotely over the network (AV:N) with low attack complexity (AC:L). The impact primarily affects confidentiality (C:H), meaning sensitive information managed or displayed by the Legal Pages plugin could be exposed to unauthorized users. However, integrity and availability are not impacted. The plugin is used within WordPress environments to manage legal documentation pages, such as privacy policies, terms of service, and disclaimers. Exploitation could allow an attacker with low-level privileges, such as a subscriber or contributor, to view or extract sensitive legal content or potentially access other protected data linked through these pages. Although no known exploits are currently reported in the wild, the medium CVSS score of 6.5 reflects a moderate risk due to the ease of exploitation and the confidentiality impact. The absence of a patch link indicates that a fix may not yet be publicly available, emphasizing the need for vigilance and interim mitigations.
Potential Impact
For European organizations, especially those operating websites with WordPress installations using the wpWax Legal Pages plugin, this vulnerability poses a risk of unauthorized disclosure of sensitive legal information. This could include internal policies, compliance statements, or other legal content that might reveal organizational practices or compliance gaps. Exposure of such information could lead to reputational damage, regulatory scrutiny under GDPR if personal data handling policies are compromised, or provide attackers with intelligence to craft more targeted attacks. Organizations in regulated sectors such as finance, healthcare, and public services could face heightened risks due to the sensitivity of their legal disclosures. Additionally, since the vulnerability requires only low-level privileges, it could be exploited by malicious insiders or compromised low-privilege accounts, increasing the threat surface. The lack of impact on integrity and availability reduces the risk of service disruption or data tampering but does not diminish the importance of protecting confidentiality in legal documentation.
Mitigation Recommendations
European organizations should immediately audit their WordPress environments to identify installations of the wpWax Legal Pages plugin and verify the versions in use. Until an official patch is released, administrators should restrict plugin access strictly to trusted users with appropriate privileges and consider temporarily disabling the plugin if feasible. Implementing additional access control layers at the web server or application firewall level can help block unauthorized access attempts to legal pages. Monitoring user activity logs for unusual access patterns to these pages is recommended to detect potential exploitation attempts. Organizations should also ensure that WordPress and all plugins are kept up to date and subscribe to vendor or security mailing lists for timely patch releases. Where possible, conduct penetration testing focused on access control to validate that no other authorization weaknesses exist. Finally, review and tighten user role assignments to minimize the number of users with even low-level privileges that could exploit this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-48242: CWE-862 Missing Authorization in wpWax Legal Pages
Description
Missing Authorization vulnerability in wpWax Legal Pages allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Legal Pages: from n/a through 1.4.5.
AI-Powered Analysis
Technical Analysis
CVE-2025-48242 is a Missing Authorization vulnerability (CWE-862) identified in the wpWax Legal Pages plugin, affecting versions up to 1.4.5. This vulnerability arises due to incorrectly configured access control mechanisms, allowing users with limited privileges (PR:L - Privileges Required: Low) to access or perform actions that should be restricted. The vulnerability does not require user interaction (UI:N) and can be exploited remotely over the network (AV:N) with low attack complexity (AC:L). The impact primarily affects confidentiality (C:H), meaning sensitive information managed or displayed by the Legal Pages plugin could be exposed to unauthorized users. However, integrity and availability are not impacted. The plugin is used within WordPress environments to manage legal documentation pages, such as privacy policies, terms of service, and disclaimers. Exploitation could allow an attacker with low-level privileges, such as a subscriber or contributor, to view or extract sensitive legal content or potentially access other protected data linked through these pages. Although no known exploits are currently reported in the wild, the medium CVSS score of 6.5 reflects a moderate risk due to the ease of exploitation and the confidentiality impact. The absence of a patch link indicates that a fix may not yet be publicly available, emphasizing the need for vigilance and interim mitigations.
Potential Impact
For European organizations, especially those operating websites with WordPress installations using the wpWax Legal Pages plugin, this vulnerability poses a risk of unauthorized disclosure of sensitive legal information. This could include internal policies, compliance statements, or other legal content that might reveal organizational practices or compliance gaps. Exposure of such information could lead to reputational damage, regulatory scrutiny under GDPR if personal data handling policies are compromised, or provide attackers with intelligence to craft more targeted attacks. Organizations in regulated sectors such as finance, healthcare, and public services could face heightened risks due to the sensitivity of their legal disclosures. Additionally, since the vulnerability requires only low-level privileges, it could be exploited by malicious insiders or compromised low-privilege accounts, increasing the threat surface. The lack of impact on integrity and availability reduces the risk of service disruption or data tampering but does not diminish the importance of protecting confidentiality in legal documentation.
Mitigation Recommendations
European organizations should immediately audit their WordPress environments to identify installations of the wpWax Legal Pages plugin and verify the versions in use. Until an official patch is released, administrators should restrict plugin access strictly to trusted users with appropriate privileges and consider temporarily disabling the plugin if feasible. Implementing additional access control layers at the web server or application firewall level can help block unauthorized access attempts to legal pages. Monitoring user activity logs for unusual access patterns to these pages is recommended to detect potential exploitation attempts. Organizations should also ensure that WordPress and all plugins are kept up to date and subscribe to vendor or security mailing lists for timely patch releases. Where possible, conduct penetration testing focused on access control to validate that no other authorization weaknesses exist. Finally, review and tighten user role assignments to minimize the number of users with even low-level privileges that could exploit this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-05-19T14:13:02.790Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0f81484d88663aeb618
Added to database: 5/20/2025, 6:59:04 PM
Last enriched: 7/11/2025, 6:05:20 PM
Last updated: 8/11/2025, 3:26:32 AM
Views: 12
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.