CVE-2026-2281
Stored XSS in WordPress Private Comment Plugin Label Text
Publication date: 2026-02-18
Last updated on: 2026-02-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| private_comment | private_comment | to 0.0.4 (inc) |
| private_comment | private_comment | 0.0.3 |
| private_comment | private_comment | 0.0.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2281 is a stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin "Private Comment" versions up to and including 0.0.4. The vulnerability arises because the plugin does not properly sanitize and escape the customizable "Label text" setting used for the private comment checkbox in the comment form.'}, {'type': 'paragraph', 'content': 'This insufficient sanitization allows authenticated users with Administrator-level access or higher to inject malicious scripts into the label text. These scripts are then stored and executed whenever a user accesses a page containing the injected label, potentially compromising the security of users viewing that page.'}, {'type': 'paragraph', 'content': "The issue specifically affects multi-site WordPress installations and those where the unfiltered_html capability is disabled. The vulnerability was fixed in version 0.0.5 by properly escaping the label text using WordPress's esc_html() function to neutralize any malicious code."}] [1, 3, 4]
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker with Administrator-level access to inject arbitrary JavaScript code into the label text of the private comment checkbox.
When other users access pages containing the injected label, the malicious script executes in their browsers. This can lead to various impacts such as session hijacking, unauthorized actions performed on behalf of users, or theft of sensitive information.
Because the vulnerability is a stored XSS, the malicious code persists in the system and affects all users who view the affected pages, increasing the risk and potential damage.
However, the attack requires the attacker to have Administrator-level access, which limits the risk to environments where such access is already compromised or granted.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability is a stored Cross-Site Scripting (XSS) issue in the Private Comment WordPress plugin versions up to 0.0.4, caused by insufficient sanitization of the 'Label text' setting in the plugin's admin discussion settings."}, {'type': 'paragraph', 'content': 'To detect if your system is vulnerable, you should check if the Private Comment plugin is installed and its version is 0.0.4 or earlier.'}, {'type': 'paragraph', 'content': "You can also inspect the 'Label text' setting in the WordPress admin under Options > Discussion to see if it contains suspicious or malicious script code."}, {'type': 'paragraph', 'content': 'Since this is a stored XSS vulnerability triggered by the label text setting, detection involves verifying the plugin version and examining the label text configuration.'}, {'type': 'list_item', 'content': 'Use WP-CLI to check the installed plugin version: `wp plugin get private-comment --field=version`'}, {'type': 'list_item', 'content': "Check the label text option value via WP-CLI: `wp option get private_comment_options` and inspect the 'label_text' or equivalent field for suspicious scripts."}, {'type': 'list_item', 'content': "Manually review the WordPress admin Discussion settings page for the Private Comment plugin's label text field."}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation is to update the Private Comment plugin to version 0.0.5 or later, where the stored XSS vulnerability via the label text setting has been fixed by properly sanitizing and escaping the label text.'}, {'type': 'paragraph', 'content': "If updating immediately is not possible, temporarily avoid using or modifying the 'Label text' setting in the plugin's admin settings to prevent injection of malicious scripts."}, {'type': 'paragraph', 'content': 'Review and sanitize any existing label text values in the plugin settings to remove any potentially malicious code.'}, {'type': 'paragraph', 'content': 'Restrict administrator-level access to trusted users only, since exploitation requires authenticated users with Administrator-level access.'}, {'type': 'paragraph', 'content': 'Ensure that your WordPress installation is configured securely, including enabling unfiltered_html only for trusted users, as the vulnerability affects installations where unfiltered_html is disabled.'}] [4, 3, 1]