CVE-2025-67974 identifies a missing authorization vulnerability in the WP Legal Pages (WPLegalPages) WordPress plugin, specifically affecting versions up to 3.5.4. The vulnerability stems from improperly configured access control mechanisms within the plugin, which fail to enforce adequate authorization checks. This misconfiguration allows attackers to bypass intended security restrictions and perform unauthorized actions on legal pages managed by the plugin. Legal pages often contain critical compliance information such as privacy policies, terms of service, and disclaimers, making their integrity and confidentiality essential. The vulnerability does not require user interaction but does require the attacker to have some level of access to the WordPress environment, such as through a compromised account or other means. No CVSS score has been assigned yet, and no public exploits have been reported, but the risk remains significant due to the nature of the data involved and the potential for unauthorized content manipulation or disclosure. The issue was reserved in December 2025 and published in February 2026, indicating recent discovery. The lack of a patch link suggests that a fix may not yet be available, emphasizing the need for immediate mitigation efforts. The vulnerability affects a widely used WordPress plugin, increasing the potential attack surface globally, especially in organizations relying on WordPress for website management and legal compliance documentation.

The primary impact of CVE-2025-67974 is the unauthorized access and potential modification of legal compliance pages on WordPress sites using the WPLegalPages plugin. This can lead to the exposure of sensitive legal information or the alteration of critical compliance documents, undermining trust and potentially causing legal or regulatory repercussions. Organizations may face reputational damage if attackers manipulate legal content to mislead users or hide important disclaimers. The integrity of website content is compromised, which can affect customer confidence and compliance with data protection regulations such as GDPR or CCPA. Additionally, unauthorized changes could be leveraged to insert malicious links or scripts, escalating the threat to website visitors. Since WordPress powers a significant portion of websites globally, the scope of affected systems is broad, especially for businesses and institutions that rely on WPLegalPages for managing legal content. The ease of exploitation is moderate, as it depends on the attacker’s ability to reach the vulnerable plugin interface, but no authentication is required for the authorization bypass itself. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability remains a critical risk if left unaddressed.

1. Immediately audit and restrict access permissions to the WordPress admin dashboard and specifically to the WPLegalPages plugin management interface to trusted users only. 2. Monitor web server and WordPress logs for unusual access patterns or unauthorized attempts to modify legal pages. 3. Disable or deactivate the WPLegalPages plugin temporarily if legal page management is not critical or if no immediate patch is available. 4. Implement Web Application Firewall (WAF) rules to block suspicious requests targeting the plugin’s endpoints. 5. Stay informed on vendor announcements and apply official patches or updates as soon as they are released. 6. Conduct a thorough review of all legal pages post-mitigation to ensure no unauthorized changes have been made. 7. Employ principle of least privilege for all user roles within WordPress to minimize the risk of privilege escalation. 8. Consider alternative plugins with verified secure authorization controls if a timely patch is not forthcoming. 9. Educate site administrators about the risks of unauthorized access and the importance of strong authentication mechanisms such as MFA. 10. Regularly back up website content, including legal pages, to enable quick restoration if tampering occurs.