Secure Copy Content Protection and Content Locking <= 4.9.8 - Unauthenticated Stored Cross-Site Scripting via X-Forwarded-For Header
Description
The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-Forwarded-For' HTTP header in all versions up to, and including, 4.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=4.9.8Source Code
WordPress.org SVNThis research plan outlines the steps to investigate and exploit **CVE-2026-1320**, a Stored Cross-Site Scripting (XSS) vulnerability in the "Secure Copy Content Protection and Content Locking" plugin. --- ### 1. Vulnerability Summary The "Secure Copy Content Protection and Content Locking" plugin…
Show full research plan
This research plan outlines the steps to investigate and exploit CVE-2026-1320, a Stored Cross-Site Scripting (XSS) vulnerability in the "Secure Copy Content Protection and Content Locking" plugin.
1. Vulnerability Summary
The "Secure Copy Content Protection and Content Locking" plugin logs visitor information, including IP addresses, to provide security reports and content locking statistics. The plugin incorrectly trusts the X-Forwarded-For HTTP header as a source for the visitor's IP address. It fails to sanitize this input before storing it in the database and fails to escape it when displaying it in the WordPress admin dashboard (likely within the "Reports" or "Statistics" sections). This allows an unauthenticated attacker to inject arbitrary JavaScript that executes in the context of an administrative user.
2. Attack Vector Analysis
- Vulnerable Endpoint: Any frontend page or post (e.g.,
/,/?p=1). - Vulnerable Header:
X-Forwarded-For - Authentication Level: Unauthenticated (Nopriv).
- Preconditions: The plugin must be active and configured to log visitor IP addresses (this is usually a default behavior for reporting).
- Sink Location: The WordPress Admin Dashboard, specifically the plugin's reporting pages.
3. Code Flow (Inferred)
- Entry: A request is made to any public page.
- IP Extraction: The plugin calls a function (e.g.,
get_ip_address()) that checks$_SERVER['HTTP_X_FORWARDED_FOR']before$_SERVER['REMOTE_ADDR']. - Storage: The raw value from the header is passed to a database insertion query (e.g.,
$wpdb->insertinto a table likewp_ay_sccp_reportsor stored inwp_options). - Admin Access: An administrator navigates to the plugin's admin page (e.g.,
wp-admin/admin.php?page=ay_sccp_reports). - Sink: The admin page retrieves the logs and echoes the "IP" column directly into the HTML table without using
esc_html()oresc_attr().
4. Nonce Acquisition Strategy
This vulnerability is Passive/Automatic. Since the logging occurs automatically upon visiting a page to "protect" content or "log" the visit, no WordPress nonce is required for the injection phase.
For the trigger phase (verifying the XSS), the agent will need to be logged in as an administrator to access the reports page.
5. Exploitation Strategy
Step 1: Identify the Reporting Admin Page
Use WP-CLI to find the exact menu slug registered by the plugin.
wp eval "print_r( \$GLOBALS['menu'] );"
Look for slugs containing sccp or ay_sccp.
Step 2: Inject the Payload
Send a request to the homepage with the XSS payload in the X-Forwarded-For header.
- Request Method:
GET - URL:
http://localhost:8080/ - Headers:
X-Forwarded-For: <script>console.log('CVE-2026-1320_EXPLOITED');</script>Content-Type: text/html
Step 3: Trigger the XSS
Log in as an administrator and navigate to the report page identified in Step 1.
- URL:
http://localhost:8080/wp-admin/admin.php?page=[SLUG_FOUND_IN_STEP_1] - Tool:
browser_navigatefollowed bybrowser_eval("document.body.innerHTML")to check for the payload.
6. Test Data Setup
- Install/Activate Plugin:
wp plugin install secure-copy-content-protection --version=4.9.8 --activate - Ensure a Public Page Exists:
wp post create --post_type=post --post_title='Vulnerable Page' --post_status=publish - Configuration: Check if logging is enabled (usually default). If specific "Content Locking" must be active, enable it for the created post:
# Example (slug depends on plugin internals) wp option update ay_sccp_settings '{"enable_logging": "yes"}'
7. Expected Results
- Injection: The HTTP request returns a
200 OK. - Storage: The database table (e.g.,
wp_ay_sccp_reports) should now contain a row where theip_addresscolumn matches the<script>payload. - Execution: When navigating to the plugin's report page in the browser, the script should be rendered as raw HTML:
<td><script>console.log('CVE-2026-1320_EXPLOITED');</script></td>
8. Verification Steps
- Database Check:
(Note: Table name# Search for the payload in the database wp db query "SELECT * FROM wp_ay_sccp_reports WHERE ip_address LIKE '%<script>%';"wp_ay_sccp_reportsis an inferred name based on plugin slug; usewp db tablesto confirm). - Browser Verification: Use
browser_evalto confirm the script exists in the DOM of the admin page.
9. Alternative Approaches
If the plugin only logs attempts to bypass protection (e.g., right-clicking or selecting text), the payload must be delivered during a "forbidden" action:
- Simulate Right-Click: Navigate to a protected page and use
browser_evalto trigger a right-click event. - Simulate Text Selection: Use
browser_evalto select text on the page, which may trigger the IP logging logic for "Content Protection". - Bypass Proxy Checks: If the plugin ignores
X-Forwarded-Forunless a specific proxy IP is detected, try common variations likeClient-IP,X-Real-IP, orTrue-Client-IP.
Summary
The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to unauthenticated stored Cross-Site Scripting via the 'X-Forwarded-For' HTTP header in versions up to 4.9.8. This occurs because the plugin trusts and logs this header without sanitization, then fails to escape the stored IP address when displaying it in the admin reporting dashboard.
Security Fix
@@ -10,7 +10,7 @@ function get_ip_address() { - if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { - return $_SERVER['HTTP_X_FORWARDED_FOR']; + if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { + $ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']); + return sanitize_text_field(trim($ips[0])); } - return $_SERVER['REMOTE_ADDR']; + return sanitize_text_field($_SERVER['REMOTE_ADDR']); } @@ -50,5 +50,5 @@ foreach ($reports as $report) { echo '<tr>'; - echo '<td>' . $report->ip_address . '</td>'; + echo '<td>' . esc_html($report->ip_address) . '</td>'; echo '</tr>'; }
Exploit Outline
The exploit is performed by sending a GET request to any public-facing page of the WordPress site while including a malicious script within the 'X-Forwarded-For' HTTP header. Because the plugin does not sanitize this header, it stores the script directly into the database as the visitor's IP address. The vulnerability is triggered when an administrator logs in and navigates to the plugin's reporting or statistics page (e.g., admin.php?page=ay_sccp_reports), where the stored payload is rendered without escaping, allowing for script execution in the administrator's session.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.