{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0743", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-08T17:10:16.326Z", "datePublished": "2026-02-04T08:25:32.820Z", "dateUpdated": "2026-04-08T17:29:32.784Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:32.784Z"}, "affected": [{"vendor": "orenhav", "product": "WP Content Permission", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Content Permission plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ohmem-message' parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "WP Content Permission <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'ohmem-message' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e44403cd-1cee-43c4-aabc-3eaad433c020?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-content-permission/trunk/admin/views/admin.php#L74"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-content-permission/tags/1.2/admin/views/admin.php#L74"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Bhumividh Treloges"}], "timeline": [{"time": "2026-02-03T19:40:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T16:53:00.518833Z", "id": "CVE-2026-0743", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:53:12.830Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0743", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T16:53:00.518833Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:53:09.388Z"}}], "cna": {"title": "WP Content Permission <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'ohmem-message' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Bhumividh Treloges"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "orenhav", "product": "WP Content Permission", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-03T19:40:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e44403cd-1cee-43c4-aabc-3eaad433c020?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-content-permission/trunk/admin/views/admin.php#L74"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-content-permission/tags/1.2/admin/views/admin.php#L74"}], "descriptions": [{"lang": "en", "value": "The WP Content Permission plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ohmem-message' parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:32.784Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0743", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:29:32.784Z", "dateReserved": "2026-01-08T17:10:16.326Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-04T08:25:32.820Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Content Permission plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ohmem-message' parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin WP que contiene permisos para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del par\u00e1metro 'ohmem-message' en todas las versiones hasta la 1.2, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de nivel de Administrador y superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-0743", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-04T09:15:52.653", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-content-permission/tags/1.2/admin/views/admin.php#L74"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-content-permission/trunk/admin/views/admin.php#L74"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e44403cd-1cee-43c4-aabc-3eaad433c020?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T21:27:30.585027+00:00", "value": {"mitigation_remediation": ["Update the WP Content Permission plugin to the latest release that addresses the stored XSS vulnerability (at least version\u202f1.3).", "Restrict administrative access by changing passwords, using two\u2011factor authentication, and ensuring that only trusted users hold Administrator privileges.", "If an update is not yet available, temporarily deactivate the WP Content Permission plugin or remove it entirely until a patch is released."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting via the 'ohmem\u2011message' parameter"}, "threat_synthesis": {"affected_systems": "Vulnerable versions of the WP Content Permission plugin are all releases up to and including 1.2. The plugin is maintained by orenhav for WordPress sites and is commonly installed on environments that allow administrative configuration via the WordPress dashboard.", "description_and_impact": "The WP Content Permission plugin for WordPress permits an authenticated attacker, specifically users with Administrator or higher privileges, to store and inject arbitrary JavaScript code into plugin configuration pages. The injection occurs through the 'ohmem-message' parameter, which is neither sanitized nor escaped when saved, making the content persist and execute whenever any user accesses the affected page. This weakness is classified as CWE\u201179 and can lead to session hijacking, defacement, or theft of credentials if a victim interacts with the compromised page.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 4.4, indicating moderate severity, and an EPSS score of less than 1\u202f%, reflecting a very low probability of exploitation. It is not identified as a known exploited vulnerability by CISA. No known public exploits are reported, and the attack requires authenticated access with administrative rights. Consequently, the risk is limited to sites that have compromised admin accounts or use compromised credentials, but the potential impact of in\u2011browser code execution remains significant if such conditions are met."}}}}, "created": "2026-02-04T21:18:14.353782+00:00", "updated": "2026-04-15T21:30:13.896961+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}