CVE-2025-66077 is a vulnerability identified in the wpWax Legal Pages WordPress plugin, specifically affecting versions up to and including 1.4.6. The core issue is a missing authorization control, meaning that certain administrative or sensitive functions within the plugin can be accessed by unauthorized users. This occurs due to incorrectly configured access control security levels, allowing attackers to bypass intended restrictions. The vulnerability is remotely exploitable over the network without requiring any privileges (PR:N), but it does require user interaction (UI:R), such as the victim clicking a malicious link or visiting a crafted page. The CVSS v3.1 base score is 4.3, indicating a medium severity. The impact is limited to confidentiality, with no direct effect on integrity or availability. This suggests that an attacker might be able to view or extract some sensitive information managed by the plugin but cannot modify or disrupt the service. No known exploits are currently reported in the wild, and no patches have been released at the time of publication. The vulnerability affects the Legal Pages plugin, which is used to manage legal compliance content on WordPress sites, such as privacy policies, terms of service, and cookie notices. Because these pages often contain sensitive compliance information, unauthorized access could expose internal legal configurations or data. The missing authorization could be exploited by attackers to gather information that might aid further attacks or compliance violations. Given the plugin’s role, the vulnerability is primarily an information disclosure risk rather than a direct system compromise.

For European organizations, the impact of CVE-2025-66077 centers on potential unauthorized disclosure of legal and compliance-related information managed by the wpWax Legal Pages plugin. This could lead to exposure of sensitive policy configurations or internal compliance details, potentially aiding attackers in crafting more targeted attacks or causing reputational damage. While the vulnerability does not allow modification or disruption of services, the confidentiality breach could have regulatory implications under GDPR if personal data or compliance mechanisms are indirectly exposed. Organizations relying on WordPress sites with this plugin, especially those in regulated sectors such as finance, healthcare, or government, may face increased risk of compliance violations or data privacy concerns. The lack of known exploits reduces immediate risk, but the ease of exploitation (no privileges required) means attackers could leverage social engineering to trigger the vulnerability. The medium severity rating reflects the limited scope of impact but acknowledges the importance of legal and compliance data confidentiality in European regulatory environments.

European organizations should implement the following specific mitigations: 1) Immediately audit WordPress sites for the presence of the wpWax Legal Pages plugin and identify affected versions (<=1.4.6). 2) Restrict access to administrative and legal pages through additional web application firewall (WAF) rules or IP whitelisting to limit exposure. 3) Monitor web server and application logs for unusual access patterns or requests targeting legal pages, especially from unauthenticated users. 4) Educate users and administrators about phishing and social engineering risks that could trigger user interaction exploitation. 5) Apply principle of least privilege on WordPress user roles to minimize potential impact if exploitation occurs. 6) Stay alert for official patches or updates from wpWax and apply them promptly once released. 7) Consider temporary disabling or replacing the plugin with alternative solutions if immediate patching is not possible. 8) Conduct regular vulnerability scans and penetration tests focusing on access control weaknesses in WordPress plugins. These measures go beyond generic advice by focusing on access control hardening, monitoring, and user awareness tailored to this specific vulnerability context.