Skip to main content

PrivateContent CVE-2026-57692

| EUVDEUVD-2026-40991 CRITICAL
Incorrect Privilege Assignment (CWE-266)
2026-07-01 Patchstack GHSA-vwc9-859w-9p44
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable with low complexity, but 'privilege escalation' typically presupposes an existing low-privilege account, so PR:L rather than the vendor's PR:N; full CIA impact retained.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 14:20 vuln.today

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in LCweb PrivateContent allows Privilege Escalation.

This issue affects PrivateContent: from n/a through 9.9.2.

AnalysisAI

Privilege escalation in the LCweb PrivateContent WordPress plugin (all versions up to and including 9.9.2) lets attackers obtain permissions beyond those intended, driven by an incorrect privilege assignment flaw (CWE-266). The Patchstack-assigned CVSS of 9.8 (network, no privileges, no user interaction) implies an attacker could gain administrator-level control over a WordPress site's protected content and settings. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running PrivateContent ≤9.9.2
Delivery
Send crafted role/privilege request
Exploit
Trigger incorrect privilege assignment
Execution
Obtain elevated role/access
Impact
Access protected content and admin functions

Vulnerability AssessmentAI

Exploitation The target must be a WordPress site with the LCweb PrivateContent plugin installed and active at version 9.9.2 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are partly aligned and partly missing. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a crafted request to a WordPress site running PrivateContent 9.9.2 or earlier that manipulates the plugin's role/privilege assignment, causing the plugin to grant the attacker a higher access level than intended and exposing gated content or administrative capabilities. Given the AC:L vector this requires no special timing or conditions, though whether an initial low-privilege account is needed should be verified. …
Remediation No vendor-released patch version was identified in the provided data; the advisory only marks 9.9.2 as the last affected version, so administrators should upgrade to the next release published after 9.9.2 once confirmed on the WordPress plugin page or via Patchstack, and verify the exact fixed version there before relying on it. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress instances running LCweb PrivateContent v9.9.2 or earlier and document in your asset inventory. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57692 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy