PatchSiren cyber security CVE debrief
CVE-2026-9269 WordPress.org CVE debrief
CVE-2026-9269 is a Stored Cross-Site Scripting (XSS) vulnerability in the Secure Copy Content Protection and Content Locking WordPress plugin before version 5.1.5. The plugin does not properly sanitize and escape some of its settings, potentially allowing high-privilege users, such as administrators, to perform Stored XSS attacks even when the unfiltered_html capability is disallowed (for example, in a multisite setup). The vulnerability has a CVSS score of 3.5 and a severity of LOW.
- Vendor
- WordPress.org
- Product
- Secure Copy Content Protection and Content Locking
- CVSS
- LOW 3.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of the Secure Copy Content Protection and Content Locking WordPress plugin, particularly those with high privileges (e.g., administrators), should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability exists due to insufficient sanitization and escaping of certain settings in the Secure Copy Content Protection and Content Locking WordPress plugin. This could enable high-privilege users to inject malicious scripts, potentially leading to Stored XSS attacks.
Defensive priority
LOW
Recommended defensive actions
- Update the Secure Copy Content Protection and Content Locking WordPress plugin to version 5.1.5 or later.
- Review and sanitize user-input settings to prevent Stored XSS attacks.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information is available at [ref-4].
Official resources
-
CVE-2026-9269 CVE record
CVE.org
-
CVE-2026-9269 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-9269 was published on 2026-06-12T07:16:21.237Z and modified on 2026-06-12T15:57:31.627Z.