CVE-2025-26966
Published: 25 February 2025
Summary
CVE-2025-26966 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).
Deeper analysis
CVE-2025-26966 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) in the PrivateContent WordPress plugin by Aldo Latino. This issue affects all versions of PrivateContent from n/a through 8.11.5. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impacts across confidentiality, integrity, and availability.
Unauthenticated attackers (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Exploitation enables account takeover, allowing attackers to gain unauthorized control over user accounts within affected WordPress installations running the vulnerable plugin.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/private-content/vulnerability/wordpress-privatecontent-plugin-8-11-5-unauthenticated-account-takeover-vulnerability?_s_id=cve details this unauthenticated account takeover vulnerability in PrivateContent version 8.11.5. Security practitioners should review the advisory for recommended mitigations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5442
Vulnerability details
Authentication Bypass Using an Alternate Path or Channel vulnerability in Aldo Latino PrivateContent private-content.This issue affects PrivateContent: from n/a through <= 8.11.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing WordPress plugin enables remote unauthenticated exploitation (T1190) resulting in account takeover for use of valid accounts (T1078).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating known flaws in vulnerable plugins like PrivateContent directly prevents exploitation of this authentication bypass vulnerability.
Enforces approved authorizations for logical access, directly countering authentication bypass via alternate paths or channels in the plugin.
Requires proper identification and authentication for non-organizational users, mitigating unauthenticated account takeover in public-facing WordPress plugins.