Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in raratheme Lawyer Landing Page lawyer-landing-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lawyer Landing Page: from n/a through <= 1.2.7.
AnalysisAI
The Lawyer Landing Page plugin through version 1.2.7 contains an authorization bypass vulnerability that allows unauthenticated attackers to modify data due to improper access control configuration. This network-accessible vulnerability could enable attackers to alter content or settings without proper authentication credentials. A patch is not currently available for affected installations.
Technical ContextAI
This vulnerability is rooted in CWE-862 (Missing Authorization), a class of security weakness where access control checks are either absent or improperly implemented. The raratheme Lawyer Landing Page plugin, identified via WordPress plugin ecosystem taxonomy, fails to validate user permissions before executing critical operations—likely in administrative or form-processing functions. The vulnerability affects the plugin from an unspecified baseline through version 1.2.7, suggesting the issue existed from early development or introduction and persisted through multiple minor releases. The plugin likely runs within WordPress's REST API, admin-ajax, or direct POST/GET handlers where authorization checks should validate user capabilities (such as wp_verify_nonce and current_user_can()) but do not.
RemediationAI
Immediately upgrade the raratheme Lawyer Landing Page plugin to the latest available version (expected to be 1.2.8 or later once patched by the vendor). Until a patch is available or applied, implement the following mitigations: restrict administrative access to the WordPress dashboard using IP whitelisting or a Web Application Firewall (WAF) rule set to block unauthenticated requests to affected plugin endpoints; audit database logs for unauthorized data modifications; implement WordPress security hardening best practices including strong authentication, two-factor authentication for admin accounts, and nonce verification in form submissions. If the vendor has not released a patch, consider disabling the plugin entirely until a security update is confirmed. Check the raratheme website or WordPress plugin repository for security advisories and patch notes.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12027