CVE-2026-9269

Vulnerability

The Secure Copy Content Protection and Content Locking WordPress plugin versions before 5.1.5 fails to sanitize and escape the ays_sccp_sub_icon_image parameter in its settings. This allows high-privilege users (admin) to store malicious JavaScript that executes when the settings page is viewed. The vulnerability is present even when the unfiltered_html capability is disallowed, such as in multisite configurations. [1]

Exploitation

An attacker with administrator-level access to the WordPress site can inject arbitrary JavaScript into the ays_sccp_sub_icon_image setting. The stored payload will execute in the context of any admin who visits the affected settings page. No additional user interaction beyond viewing the page is required. [1]

Impact

Successful exploitation results in Stored Cross-Site Scripting (XSS), allowing the attacker to perform actions such as stealing session cookies, modifying site content, or escalating privileges within the WordPress admin interface. The attack bypasses the unfiltered_html restriction, making it effective in multisite environments where super admins typically have that capability. [1]

Mitigation

The vulnerability is fixed in version 5.1.5 of the plugin. Users should update to this version immediately. No workarounds are provided in the available references. [1]