Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable with low complexity, but 'privilege escalation' typically presupposes an existing low-privilege account, so PR:L rather than the vendor's PR:N; full CIA impact retained.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Incorrect Privilege Assignment vulnerability in LCweb PrivateContent allows Privilege Escalation.
This issue affects PrivateContent: from n/a through 9.9.2.
AnalysisAI
Privilege escalation in the LCweb PrivateContent WordPress plugin (all versions up to and including 9.9.2) lets attackers obtain permissions beyond those intended, driven by an incorrect privilege assignment flaw (CWE-266). The Patchstack-assigned CVSS of 9.8 (network, no privileges, no user interaction) implies an attacker could gain administrator-level control over a WordPress site's protected content and settings. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target must be a WordPress site with the LCweb PrivateContent plugin installed and active at version 9.9.2 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are partly aligned and partly missing. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a crafted request to a WordPress site running PrivateContent 9.9.2 or earlier that manipulates the plugin's role/privilege assignment, causing the plugin to grant the attacker a higher access level than intended and exposing gated content or administrative capabilities. Given the AC:L vector this requires no special timing or conditions, though whether an initial low-privilege account is needed should be verified. … |
| Remediation | No vendor-released patch version was identified in the provided data; the advisory only marks 9.9.2 as the last affected version, so administrators should upgrade to the next release published after 9.9.2 once confirmed on the WordPress plugin page or via Patchstack, and verify the exact fixed version there before relying on it. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WordPress instances running LCweb PrivateContent v9.9.2 or earlier and document in your asset inventory. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Privatecontent
View allSame weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40991
GHSA-vwc9-859w-9p44