A high-severity vulnerability has been identified in the WP Legal Pages plugin for WordPress, impacting all versions up to and including 3.0. The flaw allows any authenticated user, regardless of their permission level, to execute administrative functions, such as installing new plugins. Successful exploitation could lead to a complete compromise of the affected website, resulting in data theft, defacement, or further malicious activity.

The vulnerability exists due to a missing capability check within the wplp_gdpr_install_plugin_ajax_handler() function. This function, accessible via WordPress's AJAX API, fails to verify if the user making the request has the appropriate administrative privileges. An authenticated attacker with a low-privilege account, such as a subscriber, can send a crafted request to this function to trigger the installation of a new plugin, effectively escalating their privileges and gaining unauthorized administrative control.

This vulnerability is rated as High severity with a CVSS score of 8.1. A successful exploit could have a significant negative impact on the business. An attacker could install malicious plugins designed to steal sensitive customer data, inject malware, deface the website, or use the compromised server to launch further attacks. This poses a direct risk to data confidentiality and integrity, potentially leading to regulatory fines, reputational damage, and loss of customer trust.

Immediate Action:

• Immediately update the "WP Legal Pages" plugin to the latest patched version provided by the vendor.
• If the plugin is not critical to operations, review its necessity. Consider deactivating and removing the plugin entirely to eliminate the attack surface.

Proactive Monitoring:

• Monitor WordPress audit logs for unexpected or unauthorized plugin installations and activations.
• Review web server access logs for suspicious POST requests to /wp-admin/admin-ajax.php, specifically targeting the wplp_gdpr_install_plugin_ajax_handler action.
• Utilize file integrity monitoring to detect unauthorized changes or additions to the wp-content/plugins/ directory.

Compensating Controls:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to block requests to the vulnerable AJAX function from non-administrative users.
• Enforce the principle of least privilege for all user accounts. Regularly audit user roles and remove any unnecessary accounts.
• Harden file system permissions to prevent the web server process from writing to the plugins directory, which could inhibit an attacker's ability to install a new plugin.

Public Exploit Available: false

Given the high severity (CVSS 8.1) and the potential for a complete website compromise, immediate action is required. While this vulnerability is not currently listed on the CISA KEV catalog, its ease of exploitation makes it a critical threat. We strongly recommend that all instances of the "WP Legal Pages" plugin be identified across the organization and updated to the latest version without delay. Prioritization should be given to public-facing and business-critical websites.