Skip to main content

PublishPress Authors CVE-2025-26886

HIGH
SQL Injection (CWE-89)
2025-03-15 audit@patchstack.com
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

5
Analysis Updated
Apr 25, 2026 - 00:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Apr 25, 2026 - 00:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:31 vuln.today
CVE Published
Mar 15, 2025 - 22:15 nvd
HIGH 7.6

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PublishPress PublishPress Authors allows SQL Injection. This issue affects PublishPress Authors: from n/a through 4.7.3.

AnalysisAI

SQL injection in PublishPress Authors plugin (versions ≤4.7.3) allows authenticated high-privilege WordPress administrators to extract database contents and potentially cause denial of service via crafted SQL queries. CVSS vector indicates network-accessible attack with low complexity but requires high-privilege authentication and has changed scope (C:H/I:N/A:L). EPSS score of 0.12% (31st percentile) suggests relatively low probability of exploitation in the wild. No CISA KEV listing or public proof-of-concept identified at time of analysis. Patchstack vulnerability database serves as the primary disclosure source, indicating this was discovered through security research rather than incident response.

Technical ContextAI

This is a classic SQL injection vulnerability (CWE-89) affecting the PublishPress Authors WordPress plugin, which manages author profiles and multi-author content workflows in WordPress installations. SQL injection occurs when user-supplied input is insufficiently sanitized before being incorporated into SQL queries, allowing attackers to inject arbitrary SQL commands. The WordPress plugin ecosystem frequently exhibits SQL injection vulnerabilities when developers bypass WordPress's prepared statement APIs (like $wpdb->prepare()) or improperly sanitize user input in custom database queries. Given the PR:H (high privilege required) rating, the vulnerable query likely accepts input from administrative interfaces rather than public-facing forms, suggesting the injection point exists in an admin panel feature accessible only to users with elevated WordPress roles (administrator or possibly editor level).

Affected ProductsAI

WordPress installations running the PublishPress Authors plugin versions 4.7.3 and earlier are vulnerable to SQL injection attacks. The vulnerability affects all versions in the plugin's history up to and including version 4.7.3, as indicated by the version range 'from n/a through 4.7.3'. PublishPress Authors is a community plugin available from the WordPress.org plugin repository that extends WordPress's native author management capabilities with features like guest authors, multiple authors per post, author boxes, and co-author functionality. Detailed vulnerability information is available in the Patchstack database at https://patchstack.com/database/wordpress/plugin/publishpress-authors/vulnerability/wordpress-publishpress-authors-plugin-4-7-3-sql-injection-vulnerability.

RemediationAI

WordPress site administrators should immediately upgrade PublishPress Authors to version 4.7.4 or later if available, checking the WordPress plugin repository or PublishPress vendor advisories for the patched release (patch version not independently confirmed from available data - verify current version in WordPress admin dashboard). Until patching is complete, implement defense-in-depth controls: restrict WordPress administrator role assignments to only essential personnel with verified identities, enable WordPress admin activity logging (via plugins like WP Activity Log or Simple History) to detect suspicious database queries, implement database-level query monitoring to alert on abnormal SELECT statements with UNION clauses or comment sequences typical of SQLi, and consider temporarily disabling the PublishPress Authors plugin if multi-author functionality is not business-critical. Review WordPress admin user accounts for unauthorized additions or privilege escalations that could enable exploitation. After patching, audit database access logs for the period the vulnerability was exposed to identify potential exploitation attempts. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/publishpress-authors/ for vendor-specific remediation guidance and confirmed fix version.

Share

CVE-2025-26886 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy