Description
The WP Content Permission plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ohmem-message' parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-04
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via the 'ohmem‑message' parameter
Action: Patch Immediately
AI Analysis

Impact

The WP Content Permission plugin for WordPress permits an authenticated attacker, specifically users with Administrator or higher privileges, to store and inject arbitrary JavaScript code into plugin configuration pages. The injection occurs through the 'ohmem-message' parameter, which is neither sanitized nor escaped when saved, making the content persist and execute whenever any user accesses the affected page. This weakness is classified as CWE‑79 and can lead to session hijacking, defacement, or theft of credentials if a victim interacts with the compromised page.

Affected Systems

Vulnerable versions of the WP Content Permission plugin are all releases up to and including 1.2. The plugin is maintained by orenhav for WordPress sites and is commonly installed on environments that allow administrative configuration via the WordPress dashboard.

Risk and Exploitability

The vulnerability carries a CVSS score of 4.4, indicating moderate severity, and an EPSS score of less than 1 %, reflecting a very low probability of exploitation. It is not identified as a known exploited vulnerability by CISA. No known public exploits are reported, and the attack requires authenticated access with administrative rights. Consequently, the risk is limited to sites that have compromised admin accounts or use compromised credentials, but the potential impact of in‑browser code execution remains significant if such conditions are met.

Generated by OpenCVE AI on April 15, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Content Permission plugin to the latest release that addresses the stored XSS vulnerability (at least version 1.3).
  • Restrict administrative access by changing passwords, using two‑factor authentication, and ensuring that only trusted users hold Administrator privileges.
  • If an update is not yet available, temporarily deactivate the WP Content Permission plugin or remove it entirely until a patch is released.

Generated by OpenCVE AI on April 15, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description The WP Content Permission plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ohmem-message' parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP Content Permission <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'ohmem-message' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:32.784Z

Reserved: 2026-01-08T17:10:16.326Z

Link: CVE-2026-0743

cve-icon Vulnrichment

Updated: 2026-02-04T16:53:09.388Z

cve-icon NVD

Status : Deferred

Published: 2026-02-04T09:15:52.653

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0743

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:30:13Z

Weaknesses