Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aldo Latino PrivateContent private-content.This issue affects PrivateContent: from n/a through <= 8.11.4.
Published: 2025-03-15
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw caused by failure to properly neutralize special elements used in SQL commands. An attacker who can supply data to vulnerable plugin interfaces can inject arbitrary SQL, enabling unauthorized reading, modification, or deletion of database content and potentially execution of malicious code. This could lead to full control over the site and its data.

Affected Systems

The flaw exists in the Aldo Latino PrivateContent plugin, a popular WordPress plugin used for restricting access to content. Versions from the earliest release up to and including 8.11.4 are affected. Any WordPress site that has this plugin installed at the mentioned versions is potentially vulnerable.

Risk and Exploitability

The CVSS base score of 8.5 classifies the issue as high severity. The EPSS calculation indicates a very low likelihood (<1%) that an exploit is actively being used in the wild at present, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the web‑based nature of the WordPress plugin makes a remote attacker able to trigger the injection simply by submitting crafted input on a publicly accessible page, provided the plugin handles such input. The vulnerability relies on common SQL injection weaknesses (CWE-89) and therefore requires no special prerequisites beyond access to the vulnerable endpoint.

Generated by OpenCVE AI on May 1, 2026 at 13:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Aldo Latino PrivateContent plugin to version 8.11.5 or later, which removes the SQL injection flaw.
  • If an upgrade is not immediately possible, limit access to the plugin’s configuration pages and any exposed URLs to administrators only, and ensure that any custom SQL queries provided by the plugin are run through WordPress’s prepared statement API.
  • As a temporary workaround, disable or uninstall the PrivateContent plugin, or replace it with an alternative that follows secure coding practices, until the official patch is applied.

Generated by OpenCVE AI on May 1, 2026 at 13:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7726 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aldo Latino PrivateContent. This issue affects PrivateContent: from n/a through 8.11.4.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aldo Latino PrivateContent. This issue affects PrivateContent: from n/a through 8.11.4. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aldo Latino PrivateContent private-content.This issue affects PrivateContent: from n/a through <= 8.11.4.
References

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00048}

 epss

{'score': 0.00067}

Tue, 18 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 15 Mar 2025 22:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aldo Latino PrivateContent. This issue affects PrivateContent: from n/a through 8.11.4.
Title WordPress PrivateContent plugin <= 8.11.4 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:54.764Z

Reserved: 2025-02-17T11:51:40.975Z

Link: CVE-2025-26976

cve-icon Vulnrichment

Updated: 2025-03-17T14:46:50.730Z

cve-icon NVD

Status : Deferred

Published: 2025-03-15T22:15:15.407

Modified: 2026-04-29T10:16:43.600

Link: CVE-2025-26976

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T13:45:06Z

Weaknesses