Skip to main content

PrivateContent WordPress Plugin CVE-2025-26969

HIGH
Missing Authorization (CWE-862)
2025-03-15 audit@patchstack.com
8.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.3 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:24 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:31 vuln.today
CVE Published
Mar 15, 2025 - 22:15 nvd
HIGH 8.3

DescriptionCVE.org

Missing Authorization vulnerability in Aldo Latino PrivateContent. This issue affects PrivateContent: from n/a through 8.11.5.

AnalysisAI

Broken access control in PrivateContent WordPress plugin through version 8.11.5 allows authenticated subscribers to bypass authorization checks and execute high-impact modifications or deletions across the site. Reported by Patchstack security researchers, this vulnerability enables low-privileged users to perform administrative actions they should not have access to. EPSS exploitation probability is low at 0.13% (32nd percentile), and no active exploitation or public exploit code has been identified at time of analysis.

Technical ContextAI

This vulnerability stems from CWE-862 (Missing Authorization), a common access control flaw in web applications where security checks are absent or improperly implemented on sensitive operations. The PrivateContent plugin is designed to restrict WordPress content visibility based on user roles and membership levels. The missing authorization manifests as a failure to validate user permissions before executing privileged functions, allowing subscribers (the lowest authenticated role in WordPress) to invoke operations intended for administrators or editors. The CVSS vector indicates network-accessible exploitation with low complexity against authenticated users, with scope limited to the vulnerable component but high impact to integrity and availability.

Affected ProductsAI

WordPress PrivateContent plugin versions from earliest release through 8.11.5 developed by Aldo Latino. Full version range affected is not specified in available data but the vulnerability is confirmed present up to and including version 8.11.5. Users should verify their installed version against vendor advisories. Patchstack database entry provides additional technical details at https://patchstack.com/database/wordpress/plugin/private-content/vulnerability/wordpress-privatecontent-plugin-8-11-5-subscriber-site-wide-broken-access-control-vulnerability.

RemediationAI

Upgrade PrivateContent to version 8.11.6 or later if available (verify current patched version at https://patchstack.com/database/wordpress/plugin/private-content/vulnerability/wordpress-privatecontent-plugin-8-11-5-subscriber-site-wide-broken-access-control-vulnerability). If no patch is immediately available or upgrade is delayed, implement compensating controls: disable new subscriber registrations through WordPress Settings > General > Membership to prevent untrusted account creation; audit existing subscriber accounts and remove or demote suspicious users; implement WordPress role management plugins to enforce strict capability checks; monitor WordPress audit logs for unexpected administrative actions by low-privileged users, particularly content modifications or deletions by subscribers; consider temporarily disabling the PrivateContent plugin if not business-critical until patch confirmation. Note that disabling subscriber registration may impact legitimate user onboarding workflows. Restricting plugin functionality may break content restriction features the plugin provides.

Share

CVE-2025-26969 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy