PrivateContent CVE-2025-26972
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound PrivateContent. This issue affects PrivateContent: from n/a through 8.11.5.
AnalysisAI
Reflected cross-site scripting (XSS) in PrivateContent WordPress plugin through version 8.11.5 allows remote attackers to inject malicious JavaScript into victim browsers by crafting specially-formed URLs. The vulnerability requires user interaction (victim must click malicious link) but no authentication. Exploitation probability is low (EPSS 9%, 26th percentile) with no active exploitation confirmed and no CISA KEV listing. Patchstack has documented this vulnerability, indicating security research awareness.
Technical ContextAI
PrivateContent is a WordPress plugin for content restriction and membership management. This vulnerability stems from CWE-79 (improper neutralization of input during web page generation), meaning the plugin fails to properly sanitize or encode user-controlled input before rendering it in HTML responses. Reflected XSS vulnerabilities typically occur when URL parameters, form inputs, or HTTP headers are directly echoed into page output without validation or context-appropriate encoding. The changed scope (S:C) in the CVSS vector indicates the vulnerable component (the plugin) differs from the impacted component (the victim's browser session), characteristic of client-side injection attacks. WordPress plugins commonly exhibit XSS when handling shortcode parameters, AJAX endpoints, or admin dashboard inputs without leveraging WordPress's built-in sanitization functions like esc_html(), esc_url(), or wp_kses().
Affected ProductsAI
WordPress PrivateContent plugin versions up to and including 8.11.5 are confirmed vulnerable per Patchstack database. The vulnerability report indicates all versions prior to a patched release are affected, though the exact version when the flaw was introduced is not specified ('from n/a'). Patchstack advisory available at https://patchstack.com/database/wordpress/plugin/private-content/vulnerability/wordpress-privatecontent-plugin-8-11-5-reflected-cross-site-scripting-xss-vulnerability. No CPE identifier provided in available data, limiting automated asset inventory correlation. Affected installations are WordPress sites with PrivateContent plugin active, particularly those using member-facing or content-restriction features that process URL parameters.
RemediationAI
Update PrivateContent plugin to version 8.11.6 or later if available - Patchstack typically documents vulnerabilities after vendor patches are released, though exact fix version is not confirmed in provided data. Check WordPress dashboard for plugin updates or monitor vendor release notes. Until patch is applied, implement these compensating controls with noted trade-offs: deploy Web Application Firewall (WAF) rules to block common XSS patterns in URLs targeting PrivateContent endpoints (may cause false positives for legitimate encoded characters in member content); enable Content Security Policy headers with strict 'script-src' directives to prevent inline script execution (requires auditing existing inline scripts and may break legitimate plugin functionality); restrict plugin access to trusted administrator IPs only via .htaccess or firewall rules (reduces attack surface but limits remote management). Train users to avoid clicking unsolicited links to the WordPress site. Full advisory: https://patchstack.com/database/wordpress/plugin/private-content/vulnerability/wordpress-privatecontent-plugin-8-11-5-reflected-cross-site-scripting-xss-vulnerability.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today