CVE-2025-67967 is a missing authorization vulnerability found in the e-plugins Lawyer Directory plugin, affecting versions up to and including 1.3.3. This vulnerability arises from incorrectly configured access control security levels within the plugin, which allows an attacker with low privileges (PR:L) to bypass authorization checks and perform unauthorized actions remotely (AV:N) without requiring user interaction (UI:N). The vulnerability impacts confidentiality to a limited extent (C:L), but has a high impact on integrity (I:H) and a low impact on availability (A:L). The flaw enables attackers to manipulate or alter data within the Lawyer Directory, potentially compromising the integrity of sensitive legal information stored or managed by the plugin. The vulnerability is exploitable over the network without user interaction, increasing its risk profile. Although no known exploits are currently observed in the wild, the nature of the vulnerability and the plugin's use in legal sector websites make it a critical concern. The absence of available patches at the time of reporting necessitates immediate mitigation efforts by administrators. The vulnerability was reserved in December 2025 and published in January 2026, indicating recent discovery and disclosure. The plugin is commonly used in WordPress environments to manage lawyer directories, making it a target for attackers seeking to exploit access control weaknesses in legal sector web applications.

For European organizations, especially law firms and legal service providers using the e-plugins Lawyer Directory, this vulnerability could lead to unauthorized modification of sensitive legal data, undermining data integrity and potentially causing reputational damage and legal compliance issues. The ability for low-privileged attackers to bypass authorization controls remotely increases the risk of data tampering or unauthorized data exposure. This could disrupt business operations, lead to loss of client trust, and expose organizations to regulatory penalties under GDPR if personal data is affected. The limited impact on availability suggests that denial-of-service is less likely, but integrity and confidentiality risks remain significant. Organizations relying on this plugin for public-facing directories or internal legal resource management are particularly vulnerable. The lack of known exploits in the wild currently reduces immediate risk but does not diminish the urgency for mitigation, as attackers may develop exploits rapidly given the vulnerability's characteristics.

1. Immediately review and restrict user privileges within the Lawyer Directory plugin to the minimum necessary, ensuring that only trusted users have elevated permissions. 2. Monitor logs and audit trails for unusual access patterns or unauthorized modification attempts related to the Lawyer Directory plugin. 3. Apply any vendor-provided patches or updates as soon as they become available; if no patch exists, consider temporarily disabling the plugin or restricting its network exposure. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the Lawyer Directory endpoints. 5. Conduct a thorough security review of access control configurations across all plugins and WordPress installations to prevent similar authorization bypass issues. 6. Educate administrators and users about the risks of privilege escalation and the importance of strong access control policies. 7. Consider isolating the Lawyer Directory plugin functionality on segmented network zones to limit potential lateral movement in case of compromise.