CVE-2025-67586
Description
Missing Authorization vulnerability in Ronald Huereca Highlight and Share highlight-and-share allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Highlight and Share: from n/a through <= 5.2.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authorization in Highlight and Share plugin <=5.2.0 allows low-privilege users to exploit broken access control, fixed in 5.3.0.
CVE-2025-67586 is a missing authorization vulnerability in the WordPress plugin Highlight and Share, affecting versions from n/a through 5.2.0 [1]. The issue stems from a broken access control mechanism, where certain functions lack proper authorization or nonce token checks, allowing unprivileged users to perform actions that should require higher privileges [1].
Exploitation requires user interaction, such as clicking a malicious link, visiting a crafted page, or submitting a form, initiated by a role with the required privilege level [1]. This vulnerability is part of a known pattern used in mass-exploit campaigns targeting thousands of websites regardless of size or traffic [1].
An attacker who successfully exploits this flaw can execute higher-privileged actions in the WordPress context, leading to potential content manipulation or other unauthorized changes [1]. The vulnerability is classified as medium severity with a CVSS v3 score of 4.7 [1].
The fix is available in version 5.3.0 or later of the Highlight and Share plugin [1]. Users are strongly advised to update immediately or enable auto-updates if using Patchstack [1]. No workaround is provided beyond updating.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <= 5.2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.