CVE-2025-26969
Published: 15 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-26969 is a Missing Authorization vulnerability (CWE-862) in the PrivateContent WordPress plugin developed by Aldo Latino. The issue affects all versions of the plugin from an unspecified initial release through 8.11.5. Published on 2025-03-15, it carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on integrity and availability.
A low-privileged authenticated user, such as a subscriber (PR:L), can exploit this vulnerability remotely without user interaction. Exploitation enables site-wide broken access control, allowing the attacker to achieve low confidentiality impact alongside high integrity and availability disruption, potentially compromising the entire WordPress site.
The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/private-content/vulnerability/wordpress-privatecontent-plugin-8-11-5-subscriber-site-wide-broken-access-control-vulnerability?_s_id=cve documents this vulnerability in PrivateContent version 8.11.5 and serves as a primary reference for mitigation details.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Missing authorization (broken access control) in public-facing WordPress plugin allows low-priv authenticated user to perform unauthorized high-impact actions, directly enabling exploitation of the web application (T1190) and privilege escalation (T1068).