CVE-2025-30866: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in Giannis Kipouros Terms & Conditions Per Product plugin affecting versions through 1.2.15. The vulnerability allows exploiting incorrectly configured access control security levels, potentially enabling unauthorized access to protected functionality (NVD, Patchstack).

The vulnerability is classified as a broken access control issue, which stems from missing authorization, authentication, or nonce token checks in certain functions. This allows unprivileged users to execute actions typically restricted to users with higher privileges. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating it can be exploited remotely without requiring privileges or user interaction (Patchstack).

The vulnerability has a low severity impact and is considered unlikely to be exploited. While it allows unauthorized access to certain functionality, the specific impact appears to be limited to access control bypass without significant system compromise (Patchstack).

The vulnerability has been fixed in version 1.2.16 of the Terms & Conditions Per Product plugin. Users are advised to update to this version or later to remove the vulnerability (Patchstack).