CVE-2025-26976
Published: 15 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-26976 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, in the PrivateContent WordPress plugin developed by Aldo Latino. The issue affects PrivateContent versions from n/a through 8.11.4 inclusive. Published on 2025-03-15, it carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), indicating high severity due to its network accessibility and potential for significant data exposure.
Low-privileged remote attackers, such as authenticated WordPress users (PR:L), can exploit the vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation enables a scoped impact (S:C), achieving high confidentiality loss (C:H), such as unauthorized access to sensitive database contents, alongside low availability disruption (A:L) and no integrity impact (I:N).
Patchstack provides details on the vulnerability and mitigation in its advisory at https://patchstack.com/database/Wordpress/Plugin/private-content/vulnerability/wordpress-privatecontent-plugin-8-11-4-sql-injection-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing WordPress plugin directly enables exploitation of the application for unauthorized database access and data collection from repositories.