PublishPress Authors CVE-2025-26886
HIGHSeverity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
5DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PublishPress PublishPress Authors allows SQL Injection. This issue affects PublishPress Authors: from n/a through 4.7.3.
AnalysisAI
SQL injection in PublishPress Authors plugin (versions ≤4.7.3) allows authenticated high-privilege WordPress administrators to extract database contents and potentially cause denial of service via crafted SQL queries. CVSS vector indicates network-accessible attack with low complexity but requires high-privilege authentication and has changed scope (C:H/I:N/A:L). EPSS score of 0.12% (31st percentile) suggests relatively low probability of exploitation in the wild. No CISA KEV listing or public proof-of-concept identified at time of analysis. Patchstack vulnerability database serves as the primary disclosure source, indicating this was discovered through security research rather than incident response.
Technical ContextAI
This is a classic SQL injection vulnerability (CWE-89) affecting the PublishPress Authors WordPress plugin, which manages author profiles and multi-author content workflows in WordPress installations. SQL injection occurs when user-supplied input is insufficiently sanitized before being incorporated into SQL queries, allowing attackers to inject arbitrary SQL commands. The WordPress plugin ecosystem frequently exhibits SQL injection vulnerabilities when developers bypass WordPress's prepared statement APIs (like $wpdb->prepare()) or improperly sanitize user input in custom database queries. Given the PR:H (high privilege required) rating, the vulnerable query likely accepts input from administrative interfaces rather than public-facing forms, suggesting the injection point exists in an admin panel feature accessible only to users with elevated WordPress roles (administrator or possibly editor level).
Affected ProductsAI
WordPress installations running the PublishPress Authors plugin versions 4.7.3 and earlier are vulnerable to SQL injection attacks. The vulnerability affects all versions in the plugin's history up to and including version 4.7.3, as indicated by the version range 'from n/a through 4.7.3'. PublishPress Authors is a community plugin available from the WordPress.org plugin repository that extends WordPress's native author management capabilities with features like guest authors, multiple authors per post, author boxes, and co-author functionality. Detailed vulnerability information is available in the Patchstack database at https://patchstack.com/database/wordpress/plugin/publishpress-authors/vulnerability/wordpress-publishpress-authors-plugin-4-7-3-sql-injection-vulnerability.
RemediationAI
WordPress site administrators should immediately upgrade PublishPress Authors to version 4.7.4 or later if available, checking the WordPress plugin repository or PublishPress vendor advisories for the patched release (patch version not independently confirmed from available data - verify current version in WordPress admin dashboard). Until patching is complete, implement defense-in-depth controls: restrict WordPress administrator role assignments to only essential personnel with verified identities, enable WordPress admin activity logging (via plugins like WP Activity Log or Simple History) to detect suspicious database queries, implement database-level query monitoring to alert on abnormal SELECT statements with UNION clauses or comment sequences typical of SQLi, and consider temporarily disabling the PublishPress Authors plugin if multi-author functionality is not business-critical. Review WordPress admin user accounts for unauthorized additions or privilege escalations that could enable exploitation. After patching, audit database access logs for the period the vulnerability was exposed to identify potential exploitation attempts. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/publishpress-authors/ for vendor-specific remediation guidance and confirmed fix version.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today