| Plugin Name | Secure Copy Content Protection and Content Locking |
|---|---|
| Type of Vulnerability | Cross-Site Scripting (XSS) |
| CVE Number | CVE-2026-2367 |
| Urgency | Low |
| CVE Publish Date | 2026-02-24 |
| Source URL | CVE-2026-2367 |
Authenticated Contributor Stored XSS in ‘Secure Copy Content Protection’ — What It Means and How to Respond
Date: 2026-02-24 | Author: Hong Kong Security Expert
TL;DR
Stored Cross‑Site Scripting (XSS) (CVE‑2026‑2367) affects Secure Copy Content Protection and Content Locking (≤ 5.0.1). An authenticated Contributor can inject a malicious payload via a shortcode attribute that is stored and later executed when a higher‑privileged user views the affected page. Vendor patched the issue in version 5.0.2. Immediate action: validate installation, upgrade to 5.0.2+, or apply temporary mitigations (disable plugin, restrict content creation, scan and clean). Below is a technical explanation, detection and remediation guidance, and practical steps for Hong Kong-based sites and administrators.
Background and impact
- Vulnerability: Stored Cross‑Site Scripting (XSS) via shortcode attribute
- Affected software: Secure Copy Content Protection and Content Locking — versions ≤ 5.0.1
- Patched in: 5.0.2
- CVE: CVE‑2026‑2367
- Reported: 24 Feb, 2026
- Required privilege for injection: Contributor
- CVSS (reported): 6.5 — moderate
Why this matters: Contributor accounts are commonly used for guest posts and collaboration. If Contributors can store shortcode attributes containing executable JS, attackers can cause script execution in the browser of Editors or Admins who view the content. Stored XSS can enable session theft, privilege escalation, and site compromise.
How this particular vulnerability works (technical summary)
WordPress shortcodes are handled by callbacks that receive attributes ($atts). If the plugin outputs attribute values without proper sanitization and escaping, attributes containing HTML/JS can execute in another user’s browser. In this case, a Contributor can save a crafted shortcode attribute that is later rendered and executed when a privileged user views the page.
Conceptual example (do not execute):
[secure_copy attr="
"]Important caveats:
- Contributors usually lack unfiltered_html, but shortcode attributes and plugin input fields can bypass that restriction.
- Exploitation typically requires a privileged user to view or preview the page.
Attack scenarios
- Guest author program: Attacker submits draft content with malicious shortcode attributes; editor/admin previews and triggers payload.
- Compromised contributor account: Attacker edits posts to include payloads; visitors or admins are affected when viewing.
- Social engineering + review: Attacker lures privileged users to a malicious page (direct link to draft or post preview).
Potential attacker goals: credential theft, privileged actions via session context, persistent malicious scripts, creation of backdoors or accounts, and distribution of further payloads to site visitors.
Risk assessment — who should worry most?
- Sites accepting guest content or Contributor submissions without strict moderation.
- Sites where Editors/Admins frequently preview or review content.
- Sites with the vulnerable plugin installed and unpatched (≤ 5.0.1).
Treat this as actionable for any production site using the plugin. Even low‑privilege inputs can be leveraged to execute in a privileged user’s browser.
Immediate remediation checklist (what to do right now)
- Upgrade: Update the plugin to version 5.0.2 or later — this is the definitive fix.
- If you cannot update immediately, temporary mitigations:
