CVE-2025-26969
Published: 15 March 2025
Summary
CVE-2025-26969 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-26969 is a Missing Authorization vulnerability (CWE-862) in the PrivateContent WordPress plugin developed by Aldo Latino. The issue affects all versions of the plugin from an unspecified initial release through 8.11.5. Published on 2025-03-15, it carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on integrity and availability.
A low-privileged authenticated user, such as a subscriber (PR:L), can exploit this vulnerability remotely without user interaction. Exploitation enables site-wide broken access control, allowing the attacker to achieve low confidentiality impact alongside high integrity and availability disruption, potentially compromising the entire WordPress site.
The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/private-content/vulnerability/wordpress-privatecontent-plugin-8-11-5-subscriber-site-wide-broken-access-control-vulnerability?_s_id=cve documents this vulnerability in PrivateContent version 8.11.5 and serves as a primary reference for mitigation details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7724
Vulnerability details
Missing Authorization vulnerability in Aldo Latino PrivateContent. This issue affects PrivateContent: from n/a through 8.11.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (broken access control) in public-facing WordPress plugin allows low-priv authenticated user to perform unauthorized high-impact actions, directly enabling exploitation of the web application (T1190) and privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires enforcement of approved authorizations for access to system resources, directly preventing the missing authorization that allows low-privileged subscribers site-wide broken access control.
Mandates making access control decisions for defined resources by specific roles or personnel, countering the plugin's failure to authorize low-privileged user actions.
Employs least privilege to limit authorized accesses, reducing the scope and impact of authorization bypasses by low-privileged users.