{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4025", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-11T20:53:14.633Z", "datePublished": "2026-04-08T09:25:49.620Z", "dateUpdated": "2026-04-08T17:14:14.677Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:14.677Z"}, "affected": [{"vendor": "lcweb-projects", "product": "PrivateContent Free", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The PrivateContent Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' shortcode attribute in the [pc-login-form] shortcode in all versions up to, and including, 1.2.0. This is due to insufficient input sanitization and output escaping on the 'align' attribute. Specifically, the attribute value flows from the shortcode through pc_login_form() to pc_static::form_align(), where it is directly concatenated into an HTML class attribute without esc_attr() or any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "PrivateContent Free <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'align' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a9ed2943-e108-49e3-ba16-f74ce3136bde?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/privatecontent-free/trunk/classes/pc_static.php#L764"}, {"url": "https://plugins.trac.wordpress.org/browser/privatecontent-free/tags/1.2.0/classes/pc_static.php#L764"}, {"url": "https://plugins.trac.wordpress.org/browser/privatecontent-free/trunk/main_includes/shortcodes.php#L10"}, {"url": "https://plugins.trac.wordpress.org/browser/privatecontent-free/tags/1.2.0/main_includes/shortcodes.php#L10"}, {"url": "https://plugins.trac.wordpress.org/browser/privatecontent-free/trunk/main_includes/public_api.php#L413"}, {"url": "https://plugins.trac.wordpress.org/browser/privatecontent-free/tags/1.2.0/main_includes/public_api.php#L413"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3497358%40privatecontent-free&new=3497358%40privatecontent-free&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2026-03-12T08:27:15.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T21:05:38.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T13:21:15.931658Z", "id": "CVE-2026-4025", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T13:21:23.327Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4025", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T13:21:15.931658Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T13:21:19.899Z"}}], "cna": {"title": "PrivateContent Free <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'align' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "lcweb-projects", "product": "PrivateContent Free", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-12T08:27:15.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-07T21:05:38.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a9ed2943-e108-49e3-ba16-f74ce3136bde?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/privatecontent-free/trunk/classes/pc_static.php#L764"}, {"url": "https://plugins.trac.wordpress.org/browser/privatecontent-free/tags/1.2.0/classes/pc_static.php#L764"}, {"url": "https://plugins.trac.wordpress.org/browser/privatecontent-free/trunk/main_includes/shortcodes.php#L10"}, {"url": "https://plugins.trac.wordpress.org/browser/privatecontent-free/tags/1.2.0/main_includes/shortcodes.php#L10"}, {"url": "https://plugins.trac.wordpress.org/browser/privatecontent-free/trunk/main_includes/public_api.php#L413"}, {"url": "https://plugins.trac.wordpress.org/browser/privatecontent-free/tags/1.2.0/main_includes/public_api.php#L413"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3497358%40privatecontent-free&new=3497358%40privatecontent-free&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The PrivateContent Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' shortcode attribute in the [pc-login-form] shortcode in all versions up to, and including, 1.2.0. This is due to insufficient input sanitization and output escaping on the 'align' attribute. Specifically, the attribute value flows from the shortcode through pc_login_form() to pc_static::form_align(), where it is directly concatenated into an HTML class attribute without esc_attr() or any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:14.677Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4025", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:14:14.677Z", "dateReserved": "2026-03-11T20:53:14.633Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T09:25:49.620Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The PrivateContent Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' shortcode attribute in the [pc-login-form] shortcode in all versions up to, and including, 1.2.0. This is due to insufficient input sanitization and output escaping on the 'align' attribute. Specifically, the attribute value flows from the shortcode through pc_login_form() to pc_static::form_align(), where it is directly concatenated into an HTML class attribute without esc_attr() or any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-4025", "lastModified": "2026-04-24T18:05:09.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T10:16:00.813", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/privatecontent-free/tags/1.2.0/classes/pc_static.php#L764"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/privatecontent-free/tags/1.2.0/main_includes/public_api.php#L413"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/privatecontent-free/tags/1.2.0/main_includes/shortcodes.php#L10"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/privatecontent-free/trunk/classes/pc_static.php#L764"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/privatecontent-free/trunk/main_includes/public_api.php#L413"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/privatecontent-free/trunk/main_includes/shortcodes.php#L10"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3497358%40privatecontent-free&new=3497358%40privatecontent-free&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a9ed2943-e108-49e3-ba16-f74ce3136bde?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PrivateContent Free", "source": "cna", "vendor": "lcweb-projects"}, "product": "privatecontent_free", "vendor": "lcweb-projects"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:20:40.883689+00:00", "value": {"mitigation_remediation": ["Upgrade the PrivateContent Free plugin to the latest version that contains the fix.", "If an update is not available, remove or disable the plugin from sites where it is not essential.", "If the plugin is required, ensure that users with Contributor access are replaced with lower\u2011privilege roles or that the attribute is omitted from the shortcode usage.", "Verify that the vulnerability has been mitigated by attempting to inject a harmless payload in the align attribute and confirming it does not execute."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting via authenticated user input"}, "threat_synthesis": {"affected_systems": "All installations of the PrivateContent Free plugin with a version of 1.2.0 or earlier are vulnerable. The flaw targets WordPress sites that host the plugin and include the vulnerable shortcode.\n", "description_and_impact": "The PrivateContent Free plugin for WordPress enables authenticated users with Contributor-level access or higher to embed malicious JavaScript within the \u2018align\u2019 attribute of the [pc-login-form] shortcode. Because the plugin does not sanitize or escape the attribute, the injected script is stored and later rendered as part of the HTML class attribute, allowing cross\u2011site scripting that can hijack sessions, deface content, or exfiltrate data. This flaw is a classic stored XSS reflected in the content served to unsuspecting visitors.", "risk_and_exploitability": "Security analysis assigns a CVSS score of 6.4, reflecting moderate severity. The lack of an EPSS score suggests no publicly available exploit data, and the vulnerability is not listed in CISA\u2019s KEV catalog, indicating it has not yet been broadly exploited. However, attackers with Contributor or higher permissions can craft a malicious value for the \u2018align\u2019 attribute to trigger stored XSS, which could lead to privilege escalation or defacement on sites lacking proper input guarding."}}}}, "created": "2026-04-08T19:27:17.160965+00:00", "updated": "2026-04-08T19:39:54.750237+00:00", "vendors": ["lcweb-projects", "lcweb-projects$PRODUCT$privatecontent_free", "wordpress", "wordpress$PRODUCT$wordpress"]}