Description
Incorrect Privilege Assignment vulnerability in LCweb PrivateContent allows Privilege Escalation.

This issue affects PrivateContent: from n/a through 9.9.2.
Published: 2026-07-01
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An Incorrect Privilege Assignment flaw in the LCweb PrivateContent WordPress plugin allows attackers to elevate privileges from a lower-level user role to a higher-level role or administrator. The vulnerability resides in the way the plugin assigns user capabilities, enabling exploitation to gain control over site content and potentially other site functions. This flaw directly compromises the integrity and confidentiality of the WordPress installation and can lead to full administrative takeover.

Affected Systems

Any WordPress site running the LCweb PrivateContent plugin version 9.9.2 or earlier is affected. The vulnerability lists the affected range as all releases up to and including 9.9.2; specific earlier versions are not enumerated.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, reflecting a high impact if the flaw is exploited. EPSS data is not available, but the lack of a KEV listing does not reduce the inherent risk. The likely attack vector for this vulnerability is web-based, as an unprivileged user can interact with the plugin through normal site access. An attacker with any user role could attempt to exploit the misassignment to obtain elevated privileges, unless mitigated by limiting available user roles or disabling the plugin altogether.

Generated by OpenCVE AI on July 1, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update LCweb PrivateContent plugin to the latest version that resolves the privilege assignment flaw (at least 9.9.3 if released).
  • If an update is not immediately available or desired, temporarily disable or remove the PrivateContent plugin from the WordPress installation to eliminate the attack surface.
  • Review and adjust user role capabilities within WordPress, ensuring that no ordinary user has administrator rights and that roles have the minimal privileges required for their functions.

Generated by OpenCVE AI on July 1, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Lcweb
Lcweb privatecontent
Wordpress
Wordpress wordpress
Vendors & Products Lcweb
Lcweb privatecontent
Wordpress
Wordpress wordpress

Wed, 01 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 13:45:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in LCweb PrivateContent allows Privilege Escalation. This issue affects PrivateContent: from n/a through 9.9.2.
Title WordPress PrivateContent plugin <= 9.9.2 - Privilege Escalation vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Lcweb Privatecontent
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-01T14:25:49.078Z

Reserved: 2026-06-25T08:03:50.157Z

Link: CVE-2026-57692

cve-icon Vulnrichment

Updated: 2026-07-01T13:51:17.346Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T18:45:05Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment