Description
The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ays_block' shortcode in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-25
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via shortcode attribute
Action: Apply Patch
AI Analysis

Impact

The Secure Copy Content Protection and Content Locking plugin is vulnerable to stored cross‑site scripting because attributes supplied to the ays_block shortcode are neither sanitized nor escaped, allowing authenticated users with contributor or higher privileges to embed arbitrary JavaScript that executes in any visitor's browser. This flaw can compromise user confidentiality, alter site content, and serve as a vector for credential theft or defacement.

Affected Systems

WordPress sites that have the Secure Copy Content Protection and Content Locking plugin (a plugin named ays-pro) installed in version 5.0.1 or earlier. The vulnerability is active on every installation that accepts input from users with contributor or higher rights.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while an EPSS score of less than 1% implies a very low current exploitation probability. The flaw is not listed in CISA’s KEV catalog. Attackers must possess a contributor‑level or higher account to inject the malicious payload, so the risk is limited to the site’s internal user base. However, once leveraged, the injected script runs for every page visitor, potentially enabling session hijacking or data exfiltration. The low EPSS does not negate the necessity of addressing the flaw promptly, especially in environments with a broad user compartmentalization or high traffic.

Generated by OpenCVE AI on April 15, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Secure Copy Content Protection and Content Locking plugin to the latest release that fixes the XSS issue.
  • Restrict contributor and higher role access to pages that use the ays_block shortcode until the upgrade is applied, or delete the shortcode from existing content that could be attacker‑controlled.
  • Scan all existing posts and pages for injected JavaScript and clean any malicious payloads, using a sanitization plugin if necessary.
  • Implement a Content Security Policy that blocks inline scripts and restricts JavaScript sources to mitigate damage if an XSS payload slips through.

Generated by OpenCVE AI on April 15, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Ays-pro
Ays-pro secure Copy Content Protection And Content Locking
Wordpress
Wordpress wordpress
Vendors & Products Ays-pro
Ays-pro secure Copy Content Protection And Content Locking
Wordpress
Wordpress wordpress

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
Description The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ays_block' shortcode in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Secure Copy Content Protection and Content Locking <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Ays-pro Secure Copy Content Protection And Content Locking
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:32:23.940Z

Reserved: 2026-02-11T20:06:04.763Z

Link: CVE-2026-2367

cve-icon Vulnrichment

Updated: 2026-02-25T21:02:08.928Z

cve-icon NVD

Status : Deferred

Published: 2026-02-25T10:16:18.507

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2367

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:00:07Z

Weaknesses