CVE-2025-67586 MEDIUM

CVE-2025-67586: WordPress Highlight and Share plugin <= 5.2.0 - Broken Access Control vulnerability

Vendor Ronald Huereca
Product Highlight and Share
Weakness CWE-862 · Missing authorization
Published December 9, 2025
Last update April 28, 2026

CVSS base score

4.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in Ronald Huereca Highlight and Share highlight-and-share allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Highlight and Share: from n/a through <= 5.2.0.

Explanation of Vulnerability in Simple Terms

02Summary

Highlight and Share versions up to 5.2.0 lack proper authorization checks, allowing an attacker to perform unauthorized actions. The vulnerability requires user interaction and network access but does not require authentication. An attacker can exploit this by tricking a user into visiting a malicious link, potentially affecting the confidentiality and integrity of site data.

What an attacker can do

03Attacker Capabilities

Perform unauthorized actions and access or modify site data without proper permission.

Potential impact on your site

04Site Impact

Unauthorized users may read or modify site content or settings if a visitor is tricked into clicking a link.

Conditions required to exploit

05Prerequisites

User must click a malicious link or visit an attacker-controlled page; no authentication required.

Key dates

06Disclosure timeline

December 9, 2025 CVE published
April 28, 2026 Record updated