– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-2281:
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the Private Comment WordPress plugin versions up to and including 0.0.4. The vulnerability exists in the plugin’s ‘Label text’ setting within the WordPress discussion options page. Attackers with Administrator-level access or higher can inject arbitrary JavaScript payloads that persist and execute when users view affected pages. The CVSS score of 4.4 reflects the requirement for administrative privileges and limited impact scope.

Atomic Edge research identifies the root cause as insufficient input sanitization and output escaping for the ‘Label text’ option. The vulnerability originates in the `private-comment/private-comment.php` file. The plugin registers a settings field via `add_settings_field()` at line 44, calling the `label_text_field()` method to render the input. The plugin’s `options_sanitize()` method at line 56 fails to properly sanitize user-supplied label text before storage. This missing sanitization allows malicious script payloads to be saved directly to the WordPress options table.

Exploitation requires an authenticated attacker with Administrator or higher privileges to navigate to the WordPress discussion settings page at `/wp-admin/options-discussion.php`. The attacker injects a JavaScript payload into the ‘Label text’ field (parameter name `private_comment_label_text`) and saves the settings. The payload is stored in the WordPress database. When the plugin displays private comment labels on front-end pages, the unsanitized label text is output without proper escaping, causing script execution in victims’ browsers. The vulnerability only affects multi-site installations or installations where the `unfiltered_html` capability is disabled.

The patch analysis reveals the vulnerability was fixed in version 0.0.5. The code diff shows the version number update from 0.0.3 to 0.0.5 at line 7. Atomic Edge examination confirms the patch adds proper input sanitization, though the exact sanitization code is not shown in the provided diff. The before behavior allowed raw HTML and JavaScript input in the label text field. The after behavior applies WordPress core sanitization functions like `sanitize_text_field()` or `esc_html()` within the `options_sanitize()` method to strip dangerous content before storage and apply output escaping during display.

Successful exploitation allows administrative attackers to inject persistent malicious scripts that execute in the context of any user viewing pages with private comments. This can lead to session hijacking, administrative account takeover, defacement, or malware distribution. While the attack requires administrative privileges, it enables privilege persistence and lateral movement within compromised WordPress installations. The stored nature means the payload executes repeatedly without further attacker interaction.