Stored Cross-Site Scripting in PrivateContent Free Plugin for WordPress
CVE-2026-4025

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Privatecontent Free
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-4025?

The PrivateContent Free plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'align' shortcode attribute in the [pc-login-form]. All versions prior to and including 1.2.0 exhibit this flaw due to inadequate input validation and output escaping practices. The vulnerability arises when values are directly inserted into an HTML class attribute without utilizing the necessary escaping functions. As a result, authenticated users with Contributor access or higher can exploit this weakness to inject malicious web scripts, leading to potential exploitation when other users visit compromised pages.

Affected Version(s)

PrivateContent Free 0 <= 1.2.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/privatecontent...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 11, 2026

Credit

Gilang Asra Bilhadi

CVE-2026-4025 Data

JSON