Legal Pages < 1.3.9 – Missing Authorization | Plugin Vulnerabilities

Description

The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the moveToTrash() and fetch_and_insert_template_data() functions hooked via AJAX in all versions up to, and including, 1.3.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts and fetch/insert template data.

Affects Plugins

Fixed in 1.3.9

References

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/db0508dd-143f-4674-8193-d46967d2799f

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Verified

No

WPVDB ID

f3106cae-013a-46e3-92f1-7596a2cdc457

Timeline

Publicly Published

2023-11-14 (about 2 years ago)

Added

2024-01-17 (about 2 years ago)

Last Updated

2024-01-17 (about 2 years ago)

Other

Published

Title

Published

2023-01-10

Title

Royal Elementor Addons < 1.3.60 - Subscriber+ Template Condition Update

Published

2025-10-20

Title

Whydonate < 4.0.16 - Missing Authorization

Published

2024-02-01

Title

Orbit Fox by ThemeIsle < 2.10.29 - Unauthenticated Connected API Keys Update

Published

2026-02-23

Title

Cryptocurrency Donation Box – Bitcoin & Crypto Donations <= 2.2.13 - Missing Authorization

Published

2025-11-19

Title

Ultimate Member Widgets for Elementor < 2.4 - Missing Authorization to Unauthenticated Information Exposure