WP-Safety

PrivateContent Free Security & Risk Analysis

wordpress.org/plugins/privatecontent-free

Restrict pages, posts, and menus by user level or login status. Create private areas for members or logged-in users with ease and FREE!

10 active installs v1.3.1 PHP 7.0+ WP 5.0+ Updated Apr 2, 2026
content-restrictionmembers-areaprivate-contentrestrict-contentuser-role-access
99
A · Safe
CVEs total1
Unpatched0
Last CVEApr 7, 2026
Plugin page Download
Safety Verdict

Is PrivateContent Free Safe to Use in 2026?

Generally Safe

Score 99/100

PrivateContent Free has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Apr 7, 2026Updated 1mo ago
Risk Assessment

The "privatecontent-free" v1.2.0 plugin presents a mixed security posture. While it demonstrates good practices in SQL query preparation (81%) and output escaping (90%), and boasts a clean vulnerability history with no recorded CVEs, significant concerns arise from its attack surface. A substantial number of AJAX handlers (31 out of 35) lack authentication checks, creating a wide entry point for potential attacks. The taint analysis reveals a concerning pattern with 14 high-severity flows without proper sanitization, and over two-thirds of analyzed flows (21 out of 24) involve unsanitized paths. The presence of the `unserialize` function, a known risk for deserialization vulnerabilities, further exacerbates these concerns, especially when combined with unsanitized inputs. The limited number of nonce and capability checks (2 and 31 respectively) compared to the large number of unprotected AJAX handlers suggests a significant oversight in securing these entry points.

Despite the absence of publicly known vulnerabilities, the internal code analysis strongly indicates potential weaknesses. The high number of unprotected AJAX endpoints combined with unsanitized taint flows represents the most critical risk. This suggests that while the plugin may not have been targeted or discovered yet, it possesses exploitable flaws. The use of `unserialize` without clear input validation on potentially untrusted data is a significant red flag. The plugin's strengths lie in its handling of SQL and output, but these are overshadowed by the vulnerabilities in its input handling and authentication mechanisms for its AJAX endpoints. A proactive approach to securing these entry points and sanitizing all user-provided data is crucial.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flows (unsanitized)
  • Unsanitized paths in taint flows
  • Dangerous function 'unserialize' used
  • Limited nonce checks on AJAX handlers
Vulnerabilities
1 published

PrivateContent Free Security Vulnerabilities

CVEs by Year

1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-4025medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PrivateContent Free <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'align' Shortcode Attribute

Apr 7, 2026 Patched in 1.3.0 (1d)
Version History

PrivateContent Free Release Timeline

v1.3.1Current
v1.3.0
v1.2.01 CVE
CVE-2026-4025
v1.1.01 CVE
CVE-2026-4025
v1.0.101 CVE
CVE-2026-4025
v1.0.91 CVE
CVE-2026-4025
v1.0.81 CVE
CVE-2026-4025
v1.0.71 CVE
CVE-2026-4025
v1.0.61 CVE
CVE-2026-4025
v1.0.31 CVE
CVE-2026-4025
v1.0.21 CVE
CVE-2026-4025
v1.0.11 CVE
CVE-2026-4025
v1.0.01 CVE
CVE-2026-4025
Code Analysis
Analyzed Mar 16, 2026

PrivateContent Free Code Analysis

Dangerous Functions
10
Raw SQL Queries
11
47 prepared
Unescaped Output
86
766 escaped
Nonce Checks
2
Capability Checks
31
File Operations
31
External Requests
1
Bundled Libraries
1

Dangerous Functions Found

unserialize$data = unserialize($data);classes\pc_static.php:985
unserialize$as_params = unserialize(base64_decode($fdata['pc_targeted_export_params']));classes\users_import_export.php:62
unserialize$as_params = unserialize(base64_decode($fdata['pc_targeted_export_params']));classes\users_import_export.php:245
unserialize$users[$uid][$field] = ($field == 'categories') ? unserialize($val) : $val;classes\users_manag.php:364
unserialize$data = unserialize($data);classes\users_manag.php:613
unserialize$clean = (array)unserialize(base64_decode($psw));classes\users_manag.php:1360
unserialize$structure = unserialize(base64_decode($term->description));main_includes\admin_ajax.php:602
unserialize$form_structure = (array)unserialize(base64_decode($term->description));main_includes\front_ajax.php:43
unserialize$form_structure = unserialize(base64_decode($rf->description));main_includes\public_api.php:708
unserialize$targeted_export_args = unserialize(base64_decode(pc_static::sanitize_val($_GET['targeted_export']))main_includes\users_list.php:36

Bundled Libraries

TinyMCE

SQL Query Safety

81% prepared58 total queries

Output Escaping

90% escaped852 total outputs
Data Flows · Security
21 unsanitized

Data Flow Analysis

24 flows21 with unsanitized paths
<user_pvt_page> (main_includes\user_pvt_page.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
31 unprotected

PrivateContent Free Attack Surface

Entry Points41
Unprotected31

AJAX Handlers 35

authwp_ajax_pvtcont_set_predefined_stylemain_includes\admin_ajax.php:48
authwp_ajax_pvtcont_ulist_update_user_colsmain_includes\admin_ajax.php:73
authwp_ajax_pvtcont_bulk_cat_changemain_includes\admin_ajax.php:148
authwp_ajax_pvtcont_ulist_manage_usersmain_includes\admin_ajax.php:245
authwp_ajax_pvtcont_wp_sync_single_usermain_includes\admin_ajax.php:284
authwp_ajax_pvtcont_wp_to_pc_single_user_syncmain_includes\admin_ajax.php:338
authwp_ajax_pvtcont_wp_to_pc_bulk_user_syncmain_includes\admin_ajax.php:420
authwp_ajax_pvtcont_wp_detach_single_usermain_includes\admin_ajax.php:445
authwp_ajax_pvtcont_wp_global_syncmain_includes\admin_ajax.php:465
authwp_ajax_pvtcont_wp_global_detachmain_includes\admin_ajax.php:485
authwp_ajax_pvtcont_wps_search_and_sync_matchesmain_includes\admin_ajax.php:505
authwp_ajax_pvtcont_ausnp_searchmain_includes\admin_ajax.php:570
authwp_ajax_pvtcont_reg_form_buildermain_includes\admin_ajax.php:720
authwp_ajax_pvtcont_update_reg_formmain_includes\admin_ajax.php:806
authwp_ajax_pvtcont_menu_item_restrictmain_includes\admin_ajax.php:842
authwp_ajax_pvtcont_set_live_restr_previewmain_includes\admin_ajax.php:888
authwp_ajax_pvtcont_qe_restr_wiz_in_list_formmain_includes\admin_ajax.php:982
authwp_ajax_pvtcont_qe_restr_wiz_in_list_updatemain_includes\admin_ajax.php:1040
authwp_ajax_pvtcont_pvtc_import_json_uploadmain_includes\admin_ajax.php:1265
authwp_ajax_pvtcont_pvtc_importmain_includes\admin_ajax.php:1401
authwp_ajax_pvtcont_csv_import_csv_uploadmain_includes\admin_ajax.php:1515
authwp_ajax_pvtcont_csv_importmain_includes\admin_ajax.php:1653
authwp_ajax_pvtcont_engine_import_json_uploadmain_includes\admin_ajax.php:1751
authwp_ajax_pvtcont_engine_importmain_includes\admin_ajax.php:1847
authwp_ajax_pc_reg_form_submitmain_includes\front_ajax.php:153
noprivwp_ajax_pc_reg_form_submitmain_includes\front_ajax.php:154
authwp_ajax_pc_login_form_submitmain_includes\front_ajax.php:292
noprivwp_ajax_pc_login_form_submitmain_includes\front_ajax.php:293
authwp_ajax_pc_logout_btn_handlermain_includes\front_ajax.php:316
noprivwp_ajax_pc_logout_btn_handlermain_includes\front_ajax.php:317
authwp_ajax_pc_user_del_ajaxmain_includes\front_ajax.php:388
noprivwp_ajax_pc_user_del_ajaxmain_includes\front_ajax.php:389
authwp_ajax_pcf_dismiss_welcomemain_includes\pcfree_welcome.php:52
authwp_ajax_pvtcont_save_user_dashboard_ajaxuser_dashboard\ajax.php:133
authwp_ajax_pvtcont_user_dashboard_change_statususer_dashboard\ajax.php:180

Shortcodes 6

[pc-login-form] main_includes\shortcodes.php:7
[pc-logout-box] main_includes\shortcodes.php:23
[pc-user-del-box] main_includes\shortcodes.php:38
[pc-registration-form] main_includes\shortcodes.php:101
[pc-pvt-content] main_includes\shortcodes.php:126
[pc-user-pvt-page-contents] main_includes\shortcodes.php:243
WordPress Hooks 127
actioninitbuilders_integration\gutenberg.php:8
actionenqueue_block_editor_assetsbuilders_integration\gutenberg.php:35
filterblock_categories_allbuilders_integration\gutenberg.php:105
actionadmin_headbuilders_integration\gutenberg.php:123
filterrender_block_databuilders_integration\gutenberg.php:195
actionenqueue_block_editor_assetsbuilders_integration\guten_elements\registr\registr.php:7
actionwp_footerclasses\pc_static.php:1425
actiondelete_postclasses\posts_restr_cache.php:45
actionsave_postclasses\posts_restr_cache.php:50
actiondeleted_term_taxonomyclasses\posts_restr_cache.php:51
actionpc_qe_restr_wiz_in_list_updatedclasses\posts_restr_cache.php:52
actionwp_loadedclasses\posts_restr_cache.php:312
actiondeleted_term_taxonomyclasses\restrictions_wizard.php:77
actionadmin_initclasses\restrictions_wizard.php:81
actionsave_postclasses\restrictions_wizard.php:82
actionadmin_enqueue_scriptsclasses\restrictions_wizard.php:86
actionadmin_headclasses\restrictions_wizard.php:1203
actionwp_loadedclasses\restrictions_wizard.php:1462
filtersend_password_change_emailclasses\wp_user_sync.php:92
filtersend_email_change_emailclasses\wp_user_sync.php:93
filtersend_password_change_emailclasses\wp_user_sync.php:232
filtersend_email_change_emailclasses\wp_user_sync.php:233
actionadmin_menumain_includes\admin_menu.php:83
actionparent_filemain_includes\admin_menu.php:110
actionadmin_initmain_includes\admin_menu.php:162
actionadmin_initmain_includes\admin_menu.php:177
filterhidden_columnsmain_includes\admin_menu.php:228
filterset-screen-optionmain_includes\admin_menu.php:238
actionadmin_bar_menumain_includes\admin_menu.php:266
actionpvtcont_initmain_includes\admin_menu.php:269
filteradmin_titlemain_includes\admin_menu.php:327
actionadmin_footermain_includes\adv_lcshop.php:2
actioninitmain_includes\cpt_and_ct.php:39
actioninitmain_includes\cpt_and_ct.php:80
actioninitmain_includes\cpt_and_ct.php:95
actionadmin_head-post-new.phpmain_includes\cpt_and_ct.php:151
actioncurrent_screenmain_includes\cpt_and_ct.php:164
actiontemplate_redirectmain_includes\cpt_and_ct.php:247
actionadmin_head-post.phpmain_includes\cpt_and_ct.php:262
actiontemplate_redirectmain_includes\cpt_and_ct.php:380
filterwpseo_sitemap_exclude_post_typemain_includes\cpt_and_ct.php:397
actionadd_meta_boxesmain_includes\cpt_and_ct.php:403
actionwp_enqueue_scriptsmain_includes\live_restr_preview.php:6
actionadmin_bar_menumain_includes\live_restr_preview.php:14
actionwidgets_initmain_includes\login_widget.php:79
actionwp_update_nav_menu_itemmain_includes\nav_menu_option.php:7
filterwp_setup_nav_menu_itemmain_includes\nav_menu_option.php:34
actionadmin_footermain_includes\nav_menu_option.php:42
actionadmin_noticesmain_includes\pcfree_welcome.php:5
filterpcua_act_typesmain_includes\pcua_integration.php:7
filterpcua_act_triggersmain_includes\pcua_integration.php:106
filterpcua_add_act_metasmain_includes\pcua_integration.php:195
actionwp_enqueue_scriptsmain_includes\scripts_n_styles_include.php:136
actionadmin_enqueue_scriptsmain_includes\scripts_n_styles_include.php:137
actionlogin_enqueue_scriptsmain_includes\scripts_n_styles_include.php:138
actionlc_guten_scriptsmain_includes\scripts_n_styles_include.php:139
actionadmin_headmain_includes\scripts_n_styles_include.php:156
filterbody_classmain_includes\scripts_n_styles_include.php:169
actionadmin_initmain_includes\tinymce_implementation.php:6
filtermce_external_pluginsmain_includes\tinymce_implementation.php:12
filtermce_buttonsmain_includes\tinymce_implementation.php:18
actionadmin_footermain_includes\tinymce_implementation.php:28
filterbody_classmain_includes\user_auth.php:127
actionpvtcont_initmain_includes\user_auth.php:129
actionpvtcont_initmain_includes\user_auth.php:158
filterwp_speculation_rules_href_exclude_pathsmain_includes\user_auth.php:163
actionwpmain_includes\user_auth.php:178
actioninitmain_includes\user_categories.php:7
filtermanage_edit-pg_user_categories_columnsmain_includes\user_categories.php:56
actionpg_user_categories_add_form_fieldsmain_includes\user_categories.php:69
actionpg_user_categories_edit_form_fieldsmain_includes\user_categories.php:70
actioncreated_pg_user_categoriesmain_includes\user_categories.php:214
actionedited_pg_user_categoriesmain_includes\user_categories.php:215
filtermanage_edit-pg_user_categories_columnsmain_includes\user_categories.php:268
filtermanage_pg_user_categories_custom_columnmain_includes\user_categories.php:269
actiondelete_term_taxonomymain_includes\user_categories.php:415
filterpc_custom_redirect_urlmain_includes\user_categories.php:433
actiontemplate_redirectmain_includes\user_pvt_page.php:7
filtercomments_templatemain_includes\user_pvt_page.php:236
filtercomments_templatemain_includes\user_pvt_page.php:253
filterthe_contentmain_includes\user_pvt_page.php:270
filterthe_contentmain_includes\user_pvt_page.php:297
filterget_post_metadatamain_includes\user_pvt_page.php:368
filterdefault_post_metadatamain_includes\user_pvt_page.php:369
actionwp_enqueue_scriptsmain_includes\user_pvt_page.php:376
actionwp_enqueue_scriptsmain_includes\user_pvt_page.php:406
filterpre_get_postsmain_includes\user_pvt_page.php:421
actioncurrent_screenmain_includes\user_pvt_page.php:439
actioninitmain_includes\wp_user_tricks.php:11
actionwp_loginmain_includes\wp_user_tricks.php:30
filterauthenticatemain_includes\wp_user_tricks.php:163
actionwoocommerce_before_customer_login_formmain_includes\wp_user_tricks.php:206
actionpvtcont_initmain_includes\wp_user_tricks.php:225
actionclear_auth_cookiemain_includes\wp_user_tricks.php:305
actionwp_logoutmain_includes\wp_user_tricks.php:306
actionpvtcont_initmain_includes\wp_user_tricks.php:315
filtershow_admin_barmain_includes\wp_user_tricks.php:319
actionadmin_enqueue_scriptsmain_includes\wp_user_tricks.php:326
actionprofile_updatemain_includes\wp_user_tricks.php:345
actionshow_user_profilemain_includes\wp_user_tricks.php:477
actionedit_user_profilemain_includes\wp_user_tricks.php:478
filterregistration_errorsmain_includes\wp_user_tricks.php:484
actionuser_registermain_includes\wp_user_tricks.php:509
actionafter_password_resetmain_includes\wp_user_tricks.php:564
actionadmin_footermain_includes\wp_user_tricks.php:588
actionadmin_enqueue_scriptsmain_includes\wp_user_tricks.php:633
actionadmin_initmain_includes\wp_user_tricks.php:746
filterviews_usersmain_includes\wp_user_tricks.php:778
actionpre_get_usersmain_includes\wp_user_tricks.php:791
filterquerymain_includes\wp_user_tricks.php:808
actionwoocommerce_order_status_completedmain_includes\wp_user_tricks.php:832
actioninitprivatecontent-free.php:47
actioninitprivatecontent-free.php:88
actionadmin_initprivatecontent-free.php:93
actionadmin_initprivatecontent-free.php:97
actionwp_loadedprivatecontent-free.php:116
actionpvtcont_initprivatecontent-free.php:142
filteruser_has_capprivatecontent-free.php:161
filterdisplay_post_statesprivatecontent-free.php:197
filterplugin_row_metaprivatecontent-free.php:221
actionadmin_initprivatecontent-free.php:322
actionbefore_woocommerce_initprivatecontent-free.php:328
filterplugin_action_linksprivatecontent-free.php:337
actiontemplate_redirectrestrictions\redirect_engine.php:7
filterpre_get_postsrestrictions\redirect_engine.php:210
filterwidget_categories_argsrestrictions\redirect_engine.php:254
actionpc_settings_extra_codesettings\nfpcf.php:112
Maintenance & Trust

PrivateContent Free Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 2, 2026
PHP min version7.0
Downloads1K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

PrivateContent Free Alternatives

Page and Post Restriction

Page and Post Restriction

page-and-post-restriction

A
98

Restrict content access for WordPress (WP) | Restrict pages/posts in WP based on user roles and login status to protect content

2K 3 CVEs
Restrict Content for WP Bakery

Restrict Content for WP Bakery

restrict-content-for-wp-bakery

A
85

An extension for Visual Composer that restrict the content or block based on user role and display message for restricted role as well.

60 No CVEs
RestrictMate – Restrict Page, Post and any Content ( Content Restriction and Membership Plugin)

RestrictMate – Restrict Page, Post and any Content ( Content Restriction and Membership Plugin)

restrictmate

A
100

Smart Content Restriction & Membership Control plugin for WordPress. Restrict pages, posts, or custom content by membership level, login, or membe &hellip;

20 No CVEs
Content Permissions for Pages & Posts

Content Permissions for Pages & Posts

content-permissions-for-pages-posts

A
85

Control your content permissions with simple shortcode. Restrict content access to members,guests or logged in one's.

10 No CVEs
Dropp Payment Gateway For Restrict Content Pro

Dropp Payment Gateway For Restrict Content Pro

dropp-payment-gateway-for-restrict-content-pro

A
92

Dropp payment gateway integration for Restrict Content Pro.

0 No CVEs
Developer Profile

PrivateContent Free Developer Profile

LCweb

4 plugins · 70 total installs

97
trust score
Avg Security Score
96/100
Avg Patch Time
1 days
View full developer profile
Detection Fingerprints

How We Detect PrivateContent Free

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/privatecontent-free/css/privatecontent.css/wp-content/plugins/privatecontent-free/js/privatecontent.js
Script Paths
/wp-content/plugins/privatecontent-free/js/privatecontent.js
Version Parameters
privatecontent-free/css/privatecontent.css?ver=privatecontent-free/js/privatecontent.js?ver=

HTML / DOM Fingerprints

CSS Classes
pc-private-contentpc-form-restrictedpc-login-form-wrapperpc-button-primarypc-link-primary
HTML Comments
<!-- privatecontent-free --><!-- privatecontent-free v1.2.0 -->
Data Attributes
data-pc-lockdata-pc-lock-message
JS Globals
PC_URLPC_DIRPC_VERSISPCF
Shortcode Output
[privateContent][privateContent_form][privateContent_login][privateContent_users_list]
FAQ

Frequently Asked Questions about PrivateContent Free