Cyber Posture

CVE-2026-25471

High

Published: 19 March 2026

Published
19 March 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0008 22.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25471 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Explicitly identifies and authorizes only specific actions performable without identification or authentication, directly mitigating authentication bypass via alternate paths used for password recovery exploitation.

IA-2 Identification and Authentication (Organizational Users) good match
prevent

Requires robust identification and authentication for organizational users, preventing bypass vulnerabilities in mechanisms like the affected plugin's password recovery.

AC-3 Access Enforcement good match
prevent

Enforces approved access authorizations, blocking unauthorized access through vulnerable alternate channels or paths in the WordPress plugin.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Authentication bypass via alternate path in public-facing WordPress plugin directly enables remote exploitation of internet-facing application for initial access and admin compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Authentication Bypass Using an Alternate Path or Channel vulnerability in Themepaste Admin Safety Guard admin-safety-guard allows Password Recovery Exploitation.This issue affects Admin Safety Guard: from n/a through <= 1.2.7.

Deeper analysisAI

CVE-2026-25471 is an Authentication Bypass Using an Alternate Path or Channel vulnerability in the Themepaste Admin Safety Guard (admin-safety-guard) WordPress plugin. This issue allows Password Recovery Exploitation and affects versions from n/a through <=1.2.7. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-288.

Unauthenticated attackers can exploit this vulnerability remotely over the network, requiring high attack complexity but no user interaction or privileges. Successful exploitation enables high impacts on confidentiality, integrity, and availability, allowing attackers to bypass authentication via an alternate path or channel and leverage password recovery mechanisms.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/admin-safety-guard/vulnerability/wordpress-admin-safety-guard-plugin-1-2-2-broken-authentication-vulnerability?_s_id=cve details this broken authentication vulnerability in the WordPress Admin Safety Guard plugin.

Details

CWE(s)
CWE-288

CVEs Like This One

CVE-2026-40630Shared CWE-288
CVE-2025-67039Shared CWE-288
CVE-2025-13539Shared CWE-288
CVE-2026-31151Shared CWE-288
CVE-2025-64236Shared CWE-288
CVE-2025-27129Shared CWE-288
CVE-2025-5955Shared CWE-288
CVE-2025-63217Shared CWE-288
CVE-2025-67070Shared CWE-288
CVE-2025-5397Shared CWE-288

References