CVE-2026-2367 β€” Cross-site Scripting in Secure Copy Content Protection AND Content Locking

CWE-79 β€” Cross-site Scripting4 documents4 sources
Severity
6.4MEDIUMNVD
EPSS
0.0%
top 88.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Ays-pro Secure Copy Content Protection AND Content Locking
Timeline
PublishedFeb 25

Description

The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ays_block' shortcode in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NExploitability: 3.1 | Impact: 2.7

Affected Packages1 packages

πŸ”΄Vulnerability Details

2
GHSA
GHSA-hpp6-437r-vmvj: The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ays_block'β†—2026-02-25
β–Ά
CVEList
Secure Copy Content Protection and Content Locking <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute↗2026-02-25
β–Ά

πŸ•΅οΈThreat Intelligence

1
Wiz
CVE-2026-2367 Impact, Exploitability, and Mitigation Steps | Wiz↗
β–Ά
CVE-2026-2367 β€” Cross-site Scripting | cvebase