CVE-2025-26976
Published: 15 March 2025
Summary
CVE-2025-26976 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-26976 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, in the PrivateContent WordPress plugin developed by Aldo Latino. The issue affects PrivateContent versions from n/a through 8.11.4 inclusive. Published on 2025-03-15, it carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), indicating high severity due to its network accessibility and potential for significant data exposure.
Low-privileged remote attackers, such as authenticated WordPress users (PR:L), can exploit the vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation enables a scoped impact (S:C), achieving high confidentiality loss (C:H), such as unauthorized access to sensitive database contents, alongside low availability disruption (A:L) and no integrity impact (I:N).
Patchstack provides details on the vulnerability and mitigation in its advisory at https://patchstack.com/database/Wordpress/Plugin/private-content/vulnerability/wordpress-privatecontent-plugin-8-11-4-sql-injection-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7726
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aldo Latino PrivateContent private-content.This issue affects PrivateContent: from n/a through <= 8.11.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing WordPress plugin directly enables exploitation of the application for unauthorized database access and data collection from repositories.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents SQL injection by requiring validation and neutralization of special elements in user inputs used for SQL commands in the PrivateContent plugin.
SI-2 ensures timely remediation of the specific SQL injection flaw in PrivateContent versions through <=8.11.4, eliminating the vulnerability.
RA-5 vulnerability scanning identifies SQL injection issues like CVE-2025-26976 in WordPress plugins, enabling proactive patching before exploitation.