Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages < 3.4.4 – Missing Authorization to Authenticated (Contributor+) Arbitrary Plugin Installation | CVE 2025-8565 | Plugin Vulnerabilities

Description

The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on the wplp_gdpr_install_plugin_ajax_handler() function in all versions up to, and including, 3.4.3. This makes it possible for authenticated attackers, with Contributor-level access and above, to install arbitrary repository plugins.

Affects Plugins

Fixed in 3.4.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ed5f2c6d-a548-44c1-a07a-e33999bb164d

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

wesley (wcraft)

Verified

No

WPVDB ID

32bdbeb7-1973-43c6-9c78-dcd88612a02c

Timeline

Publicly Published

2025-09-17 (about 6 months ago)

Added

2025-09-17 (about 6 months ago)

Last Updated

2025-09-18 (about 6 months ago)

Other

Published

Title

Published

2025-05-07

Title

Media Hygiene < 4.0.1 - Missing Authorization

Published

2025-12-15

Title

WCFM – Frontend Manager for WooCommerce < 6.7.25 - Missing Authorization

Published

2025-09-22

Title

Frontend File Manager < 23.4 - Missing Authorization

Published

2023-12-06

Title

System Dashboard < 2.8.8 - Missing Authorization to Information Disclosure (sd_global_value)

Published

2023-12-27

Title

WP Frontend Profile < 1.3.2 - Unauthenticated Privilege Escalation