Cyber Resilience

CVE-2025-26969

High

Published: 15 March 2025

Published
15 March 2025
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
EPSS Score 0.0009 24.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26969 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-26969 is a Missing Authorization vulnerability (CWE-862) in the PrivateContent WordPress plugin developed by Aldo Latino. The issue affects all versions of the plugin from an unspecified initial release through 8.11.5. Published on 2025-03-15, it carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on integrity and availability.

A low-privileged authenticated user, such as a subscriber (PR:L), can exploit this vulnerability remotely without user interaction. Exploitation enables site-wide broken access control, allowing the attacker to achieve low confidentiality impact alongside high integrity and availability disruption, potentially compromising the entire WordPress site.

The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/private-content/vulnerability/wordpress-privatecontent-plugin-8-11-5-subscriber-site-wide-broken-access-control-vulnerability?_s_id=cve documents this vulnerability in PrivateContent version 8.11.5 and serves as a primary reference for mitigation details.

EU & UK References

Vulnerability details

Missing Authorization vulnerability in Aldo Latino PrivateContent. This issue affects PrivateContent: from n/a through 8.11.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Missing authorization (broken access control) in public-facing WordPress plugin allows low-priv authenticated user to perform unauthorized high-impact actions, directly enabling exploitation of the web application (T1190) and privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4100Shared CWE-862
CVE-2026-32501Shared CWE-862
CVE-2025-31194Shared CWE-862
CVE-2026-6963Shared CWE-862
CVE-2024-9195Shared CWE-862
CVE-2025-6380Shared CWE-862
CVE-2026-0506Shared CWE-862
CVE-2025-2110Shared CWE-862
CVE-2025-27270Shared CWE-862
CVE-2026-6510Shared CWE-862

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires enforcement of approved authorizations for access to system resources, directly preventing the missing authorization that allows low-privileged subscribers site-wide broken access control.

prevent

Mandates making access control decisions for defined resources by specific roles or personnel, countering the plugin's failure to authorize low-privileged user actions.

prevent

Employs least privilege to limit authorized accesses, reducing the scope and impact of authorization bypasses by low-privileged users.

References