CVE-2025-26966
Published: 25 February 2025
Description
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Security Summary
CVE-2025-26966 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) in the PrivateContent WordPress plugin by Aldo Latino. This issue affects all versions of PrivateContent from n/a through 8.11.5. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impacts across confidentiality, integrity, and availability.
Unauthenticated attackers (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Exploitation enables account takeover, allowing attackers to gain unauthorized control over user accounts within affected WordPress installations running the vulnerable plugin.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/private-content/vulnerability/wordpress-privatecontent-plugin-8-11-5-unauthenticated-account-takeover-vulnerability?_s_id=cve details this unauthenticated account takeover vulnerability in PrivateContent version 8.11.5. Security practitioners should review the advisory for recommended mitigations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Authentication bypass in public-facing WordPress plugin enables remote unauthenticated exploitation (T1190) resulting in account takeover for use of valid accounts (T1078).