CVE-2025-67974 identifies a missing authorization vulnerability in the WP Legal Pages (WPLegalPages) WordPress plugin, specifically affecting all versions up to and including 3.5.4. This vulnerability arises from improperly configured access control mechanisms that fail to verify whether a user is authorized to perform certain actions within the plugin. As a result, an unauthenticated attacker can remotely exploit this flaw without any user interaction or prior authentication, allowing them to modify or manipulate the integrity of legal pages managed by the plugin. These pages often contain critical compliance information such as privacy policies, terms of service, and disclaimers. The CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) reflects that the attack vector is network-based, with low complexity, no privileges or user interaction required, and impacts integrity but not confidentiality or availability. The vulnerability does not currently have known exploits in the wild, but given the plugin’s role in managing legal content, exploitation could lead to unauthorized changes that misrepresent legal terms or expose organizations to regulatory and reputational risks. The vulnerability was reserved in December 2025 and published in February 2026, with no patch links currently available, indicating that remediation may be pending or in progress.

The primary impact of CVE-2025-67974 is the unauthorized modification of legal content on websites using the WPLegalPages plugin. This can lead to integrity violations where attackers alter terms of service, privacy policies, or disclaimers, potentially exposing organizations to legal liabilities, regulatory non-compliance, and reputational damage. Since the vulnerability does not affect confidentiality or availability, data breaches or service disruptions are less likely. However, the trustworthiness of legal documentation is critical for compliance with data protection laws such as GDPR, CCPA, and others. Organizations relying on this plugin, especially those in regulated industries like finance, healthcare, and e-commerce, could face significant consequences if attackers manipulate legal content to mislead users or evade legal obligations. The ease of exploitation and lack of authentication requirements increase the risk of widespread abuse, particularly on publicly accessible WordPress sites.

Organizations should immediately inventory their WordPress installations to identify if the WPLegalPages plugin is in use and determine the version. Until an official patch is released, administrators should consider temporarily disabling the plugin or restricting access to its management interfaces via web application firewalls (WAFs) or IP whitelisting. Monitoring website content for unauthorized changes to legal pages is critical to detect exploitation attempts early. Implementing strict file integrity monitoring and alerting on changes to plugin files or legal page content can help identify attacks. Additionally, organizations should subscribe to vendor and security advisories for timely updates and apply patches as soon as they become available. Employing least privilege principles for WordPress user roles and limiting plugin management capabilities to trusted administrators can reduce risk. Finally, consider deploying runtime application self-protection (RASP) tools to detect and block unauthorized access attempts targeting this vulnerability.