Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages < 3.5.2 – Missing Authorization to Unauthenticated API Disconnect | CVE 2025-11816 | Plugin Vulnerabilities

Description

The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disconnect_account_request() function in all versions up to, and including, 3.5.1. This makes it possible for unauthenticated attackers to disconnect the site from its API plan.

Affects Plugins

Fixed in 3.5.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2116340a-160f-493c-abe3-75b05282d78a

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Rafshanzani Suhada

Verified

No

WPVDB ID

24737387-ef04-4310-a961-1ee753a7cdc7

Timeline

Publicly Published

2025-10-31 (about 6 months ago)

Added

2025-10-31 (about 6 months ago)

Last Updated

2025-11-01 (about 6 months ago)

Other

Published

Title

Published

2024-03-14

Title

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login < 5.3.1.0 - Authenticated (Subscriber+) Privilege Escalation

Published

2025-02-21

Title

Page and Post Lister <= 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion

Published

2025-11-18

Title

Email Subscribers & Newsletters < 5.9.11 - Unauthenticated Mailing Queue Trigger

Published

2025-10-08

Title

Open Close WooCommerce Store <= 4.9.8 - Missing Authorization

Published

2025-01-30

Title

Royal Core <= 2.9.2 - Authenticated (Subscriber+) Arbitrary Options Update