CVE-2025-48242: 
WordPress vulnerability analysis and mitigation

Missing Authorization vulnerability was discovered in wpWax Legal Pages plugin affecting versions through 1.4.5. The vulnerability was disclosed on May 19, 2025, and is tracked as CVE-2025-48242. This security issue allows exploiting incorrectly configured access control security levels in the WordPress plugin (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs low privileges, requires no user interaction, has unchanged scope, and can impact confidentiality but not integrity or availability. The vulnerability is classified as CWE-862: Missing Authorization (NVD, Patchstack).

The vulnerability allows an unprivileged user to execute certain higher privileged actions due to broken access control. The CVSS score indicates a high impact on confidentiality while maintaining no impact on system integrity or availability (Patchstack).

Users are advised to update to version 1.4.6 or later to remove the vulnerability. The security issue has been assessed as having a low severity impact and is unlikely to be exploited. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).