Secure Copy Content Protection and Content Locking < 2.8.2 - Unauthenticated SQL Injection
Description
Unauthenticated SQL injection in sccp_id parameter of the Secure Copy Content Protection plugin for WordPress versions before 2.8.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated SQL injection in sccp_id parameter of the Secure Copy Content Protection plugin for WordPress versions before 2.8.2.
Vulnerability
The Secure Copy Content Protection and Content Locking WordPress plugin before version 2.8.2 fails to properly escape the sccp_id parameter in the ays_sccp_results_export_file AJAX action. This parameter is used directly in a SQL statement without sanitization, leading to a SQL injection vulnerability. The AJAX action is available to both unauthenticated and authenticated users, making the attack exploitable without any prior authentication [1][2].
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP request to the affected WordPress site targeting the ays_sccp_results_export_file AJAX action. The sccp_id parameter can be injected with malicious SQL payloads. No authentication or user interaction is required, and the attacker only needs network access to the WordPress instance [1]. Proof-of-concept code is publicly available [2].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands against the WordPress database. This could lead to the disclosure of sensitive data, including user credentials, password hashes, and other site content. The attacker could also potentially modify or delete data, depending on the database user's privileges [1].
Mitigation
The vulnerability is fixed in version 2.8.2 of the plugin, released on 2021-11-08 [1]. Users must update to version 2.8.2 or later. There is no known workaround other than immediately updating the plugin. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/Secure Copy Content Protection and Content Lockingdescription
- Range: <2.8.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin fails to properly sanitize the `sccp_id` parameter before incorporating it into a SQL query."
Attack vector
An attacker can exploit this vulnerability by sending a crafted request to the `ays_sccp_results_export_file` AJAX action. This action is accessible to both unauthenticated and authenticated users. The `sccp_id` parameter is not escaped, allowing an attacker to inject malicious SQL code into the query, leading to SQL injection. The exploit author demonstrates using sqlmap with a payload targeting this vulnerability [ref_id=1].
Affected code
The vulnerability exists in the `ays_sccp_results_export_file` AJAX action within the Secure Copy Content Protection and Content Locking WordPress plugin. The `sccp_id` parameter is directly used in a SQL statement without adequate sanitization.
What the fix does
The patch, identified by version 2.8.2, addresses the SQL injection vulnerability by properly escaping the `sccp_id` parameter. This ensures that any special characters or SQL commands within the parameter are treated as literal strings rather than executable SQL code. By sanitizing the input, the plugin prevents malicious SQL statements from being executed against the database.
Preconditions
- inputThe `sccp_id` parameter must be provided in the AJAX request.
- networkThe target WordPress site must have the vulnerable version of the Secure Copy Content Protection and Content Locking plugin installed.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.