CVE-2025-11816
📋 TL;DR
This vulnerability in the WP Legal Pages WordPress plugin allows unauthenticated attackers to disconnect a WordPress site from its API plan by exploiting a missing capability check. This affects all WordPress sites running WP Legal Pages version 3.5.1 or earlier. Attackers can disrupt the plugin's functionality without requiring any authentication.
💻 Affected Systems
- WP Legal Pages WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could disable the plugin's API connectivity, preventing legal page generation and updates, potentially causing compliance issues for affected websites.
Likely Case
Unauthenticated attackers disrupt the plugin's API functionality, requiring site administrators to manually reconnect the service.
If Mitigated
With proper network controls and updated plugins, impact is limited to temporary service disruption that can be quickly restored.
🎯 Exploit Status
The vulnerability is simple to exploit via direct HTTP requests to the vulnerable endpoint without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3385159/wplegalpages/trunk
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find WP Legal Pages. 4. Click 'Update Now' to update to version 3.5.2 or later. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the WP Legal Pages plugin until patched
wp plugin deactivate wplegalpages
Web Application Firewall Rule
allBlock requests to the vulnerable disconnect_account_request() endpoint
Add WAF rule to block POST requests to */wp-admin/admin-ajax.php* with action parameter containing 'disconnect_account_request'
🧯 If You Can't Patch
- Disable the WP Legal Pages plugin immediately
- Implement network-level blocking of the vulnerable endpoint using a WAF or reverse proxy
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > WP Legal Pages version. If version is 3.5.1 or earlier, you are vulnerable.Check Version:
wp plugin get wplegalpages --field=versionVerify Fix Applied:
Verify WP Legal Pages plugin version is 3.5.2 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=disconnect_account_request from unauthenticated users
- Plugin API disconnection events without admin user activity
Network Indicators:
- HTTP POST requests to WordPress admin-ajax.php endpoint with disconnect_account_request parameter
SIEM Query:
source="wordpress_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND (action="disconnect_account_request" OR parameters.action="disconnect_account_request") AND user="-"🔗 References
- https://plugins.trac.wordpress.org/browser/wplegalpages/tags/3.5.1/admin/class-wp-legal-pages-admin.php#L114
- https://plugins.trac.wordpress.org/browser/wplegalpages/tags/3.5.1/admin/class-wp-legal-pages-admin.php#L138
- https://plugins.trac.wordpress.org/changeset/3385159/wplegalpages/trunk?contextall=1&old=3375554&old_path=%2Fwplegalpages%2Ftrunk
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2116340a-160f-493c-abe3-75b05282d78a?source=cve
