– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-2367:
The Secure Copy Content Protection and Content Locking WordPress plugin contains an authenticated stored cross-site scripting (XSS) vulnerability in versions up to and including 5.0.1. The vulnerability exists within the plugin’s ‘ays_block’ shortcode handler. Attackers with contributor-level or higher permissions can inject malicious scripts via shortcode attributes. These scripts execute when any user views a page containing the compromised shortcode. The CVSS score of 6.4 reflects the need for authentication and the impact on page integrity.

Atomic Edge research identifies the root cause as insufficient input sanitization and output escaping for user-supplied shortcode attributes. The vulnerable code resides in the public-facing shortcode handler within `secure-copy-content-protection/public/class-secure-copy-content-protection-public.php`. Specifically, the `ays_block_shortcode` function (lines 715-1050) processes the shortcode `id` attribute without proper validation. Before the patch, line 717 used `esc_sql($atts[‘id’])` which only provides SQL escaping, not XSS protection. The function then retrieves block content settings from the database and outputs them without adequate escaping in the generated HTML form.

Exploitation requires an authenticated attacker with contributor privileges or higher. The attacker creates or edits a post or page, inserting the plugin’s shortcode with a malicious `id` attribute payload. The shortcode syntax is `[ays_block id=”PAYLOAD”]`. The payload must bypass the limited `esc_sql()` filtering and eventually reach output contexts where script execution occurs. Atomic Edge analysis confirms the attack vector targets the public shortcode rendering endpoint, not administrative AJAX handlers.

The patch addresses the vulnerability by implementing proper input validation for the shortcode `id` parameter. In `secure-copy-content-protection/public/class-secure-copy-content-protection-public.php` at line 717, the code changes from `$id = esc_sql($atts[‘id’]);` to `$id = ( isset( $atts[‘id’] ) && $atts[‘id’] != ” ) ? absint( intval( $atts[‘id’] ) ) : null;`. This modification ensures the `id` parameter is strictly cast to an integer using `absint()` and `intval()`, preventing any non-numeric payload from propagating. The patch also updates the plugin version to 5.0.2 in the main plugin file.

Successful exploitation allows attackers with contributor-level access to inject arbitrary JavaScript into pages or posts. Injected scripts execute in the context of any user viewing the compromised page. This can lead to session hijacking, unauthorized actions on behalf of authenticated users, defacement, or redirection to malicious sites. The stored nature means the payload persists until removal, affecting all subsequent visitors.