Secure Copy Content Protection and Content Locking < 5.1.5 - Admin+ Stored XSS via ays_sccp_sub_icon_image Parameter
Summary
| CVE | CVE-2026-9269 |
|---|---|
| State | PUBLISHED |
| Assigner | WPScan |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-12 07:16:21 UTC |
| Updated | 2026-06-12 15:57:31 UTC |
| Description | The Secure Copy Content Protection and Content Locking WordPress plugin before 5.1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). |
Risk And Classification
Primary CVSS: v3.1 3.5 LOW from ADP
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
EPSS: 0.001450000 probability, percentile 0.041170000 (date 2026-06-19)
Problem Types: CWE-79 Cross-Site Scripting (XSS)
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 3.5 | LOW | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 3.5 | LOW | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
HighUser Interaction
RequiredScope
UnchangedConfidentiality
LowIntegrity
LowAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Unknown | Secure Copy Content Protection And Content Locking | affected 5.1.5 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| wpscan.com/vulnerability/61a3f41d-f031-4dba-b5cf-4ca3bce71b1b | [email protected] | wpscan.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Luca Jungnickel (en)
CNA: WPScan (en)
There are currently no legacy QID mappings associated with this CVE.