CVE-2026-9269
Received Received - Intake
Stored XSS in Secure Copy Content Protection WordPress Plugin

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: WPScan

Description
The Secure Copy Content Protection and Content Locking WordPress plugin before 5.1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-9269
EUVD
EUVD-2026-36387
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
secure_copy_content_protection secure_copy_content_protection to 5.1.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-9269 is a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin "Secure Copy Content Protection and Content Locking" versions before 5.1.5.

The plugin does not properly sanitize and escape certain settings, specifically the `ays_sccp_sub_icon_image` parameter.

This flaw allows high-privilege users, such as administrators, to inject malicious scripts even if the `unfiltered_html` capability is disabled, for example in multisite WordPress setups.

An attacker with admin access can exploit this by submitting crafted input in the plugin settings, which triggers the XSS attack when the input is rendered.

Impact Analysis

This vulnerability can allow an attacker with administrative privileges to execute malicious scripts within the context of the affected WordPress site.

Such Stored Cross-Site Scripting attacks can lead to session hijacking, defacement, unauthorized actions performed on behalf of users, or theft of sensitive information.

Even though the vulnerability is considered low severity with a CVSS score of 3.5, it still poses a risk especially in environments where multiple users or sensitive data are involved.

Detection Guidance

This vulnerability can be detected by verifying the version of the Secure Copy Content Protection and Content Locking WordPress plugin installed on your system. Versions prior to 5.1.5 are vulnerable.

Additionally, detection involves checking for the presence of malicious stored scripts in the plugin settings, especially in the parameter `ays_sccp_sub_icon_image`.

Since the exploit requires admin access to submit crafted payloads, monitoring admin activity and reviewing plugin settings for suspicious script content can help identify exploitation attempts.

There are no specific network commands provided to detect this vulnerability, but you can use WordPress CLI commands to check the plugin version, for example:

  • wp plugin get secure-copy-content-protection --field=version

If the version is below 5.1.5, the plugin is vulnerable.

Mitigation Strategies

The immediate mitigation step is to update the Secure Copy Content Protection and Content Locking WordPress plugin to version 5.1.5 or later, where the vulnerability has been fixed.

Until the update is applied, restrict admin access to trusted users only, as the vulnerability requires high privilege user access to exploit.

Additionally, review and sanitize any plugin settings, especially the `ays_sccp_sub_icon_image` parameter, to remove any potentially malicious scripts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9269. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart