Legal Pages < 1.4.6 – Missing Authorization | CVE 2025-48242 | Plugin Vulnerabilities

Description

The Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpwax_legal_page() function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to read private pages.

Affects Plugins

Fixed in 1.4.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/330e40d9-56b2-446a-8aa9-22a59e17c122

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

muhammad yudha

Verified

No

WPVDB ID

ff10ee99-96d3-4bf5-83a4-a84f33b7a692

Timeline

Publicly Published

2025-05-19 (about 1 year ago)

Added

2025-05-28 (about 11 months ago)

Last Updated

2025-05-28 (about 11 months ago)

Other

Published

Title

Published

2025-03-19

Title

Event Manager, Events Calendar, Tickets, Registrations – Eventin < 4.0.25 - Missing Authorization to Unauthenticated Payment Status Update

Published

2022-09-05

Title

Ldap WP Login / Active Directory Integration < 3.0.2 - Unauthenticated Settings Update to Auth Bypass

Published

2025-10-15

Title

Classified Pro < 1.0.15 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation

Published

2026-02-15

Title

Royale News <= 2.2.4 - Missing Authorization

Published

2024-11-18

Title

Opal Woo Custom Product Variation < 1.1.4 - Unauthenticated Arbitrary File Deletion