CVE-2025-67586

🗓️ 09 Dec 2025 14:14:16Reported by PatchstackType

cve🔗 web.nvd.nist.gov👁 11 Views🌐 WEB

CVE-2025-67586: WordPress Highlight and Share plugin <=5.2.0 suffers broken access control.

Reporter	Title	Published	Views	Family All 12
Circl	CVE-2025-67586	20 Dec 202509:00	–	circl
CNNVD	WordPress plugin Highlight and Share 安全漏洞	9 Dec 202500:00	–	cnnvd
Cvelist	CVE-2025-67586 WordPress Highlight and Share plugin <= 5.2.0 - Broken Access Control vulnerability	9 Dec 202514:14	–	cvelist
Exploit DB	WordPress Plugin 5.2.0 - Broken Access Control	22 Apr 202600:00	–	exploitdb
EUVD	EUVD-2025-202067	9 Dec 202518:30	–	euvd
NVD	CVE-2025-67586	9 Dec 202516:18	–	nvd
Packet Storm	📄 WordPress Highlight and Share 5.2.0 Missing Authentication	22 Apr 202600:00	–	packetstorm
Patchstack	WordPress Highlight and Share plugin <= 5.2.0 - Broken Access Control vulnerability	15 Dec 202513:30	–	patchstack
Positive Technologies	PT-2025-49960	9 Dec 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-67586	10 Dec 202514:23	–	redhatcve

Vulners

Node

ronald_huereca highlight_and_shareRange≤5.2.0wordpress

[
  {
    "collectionURL": "https://wordpress.org/plugins",
    "defaultStatus": "unaffected",
    "packageName": "highlight-and-share",
    "product": "Highlight and Share",
    "vendor": "Ronald Huereca",
    "versions": [
      {
        "changes": [
          {
            "at": "5.3.0",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "5.2.0",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
patchstack	www.patchstack.com/database/Wordpress/Plugin/highlight-and-share/vulnerability/wordpress-highlight-and-share-plugin-5-2-0-broken-access-control-vulnerability

Parameter	Position	Path	Description	CWE
action	request body	/wp-admin/admin-ajax.php	Unauthenticated AJAX action leads to broken access control in the WordPress plugin, enabling unauthorized email sharing.	CWE-862
formData[postId]	request body	/wp-admin/admin-ajax.php	Unauthenticated AJAX action leads to broken access control in the WordPress plugin, enabling unauthorized email sharing.	CWE-862
formData[permalink]	request body	/wp-admin/admin-ajax.php	Unauthenticated AJAX action leads to broken access control in the WordPress plugin, enabling unauthorized email sharing.	CWE-862
formData[nonce]	request body	/wp-admin/admin-ajax.php	Unauthenticated AJAX action leads to broken access control in the WordPress plugin, enabling unauthorized email sharing.	CWE-862
formData[toEmail]	request body	/wp-admin/admin-ajax.php	Unauthenticated AJAX action leads to broken access control in the WordPress plugin, enabling unauthorized email sharing.	CWE-862
formData[subject]	request body	/wp-admin/admin-ajax.php	Unauthenticated AJAX action leads to broken access control in the WordPress plugin, enabling unauthorized email sharing.	CWE-862
formData[shareText]	request body	/wp-admin/admin-ajax.php	Unauthenticated AJAX action leads to broken access control in the WordPress plugin, enabling unauthorized email sharing.	CWE-862
formData[emailShareType]	request body	/wp-admin/admin-ajax.php	Unauthenticated AJAX action leads to broken access control in the WordPress plugin, enabling unauthorized email sharing.	CWE-862

28 Apr 2026 16:14Current

6.6Medium risk

Vulners AI Score6.6

CVSS 3.14.7

EPSS0.01231

SSVC

CWE-862