Security Alert Summary
The WP Content Permission plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability via the ohmem-message parameter. Authenticated users with Administrator-level access (and above) can inject arbitrary scripts that will execute when a user views an injected page due to insufficient input sanitization and output escaping.
CVE Details
- CVE ID: CVE-2026-0743
- Affected component: The WP Content Permission plugin for WordPress
- Affected versions: All versions up to, and including, 1.2
- Published: February 4, 2026 at 9:15 AM UTC
- Last modified: February 4, 2026 at 4:33 PM UTC
- CVSS v3.1: Base Score 4.4 (MEDIUM) — Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
- Authentication / Privileges / User Interaction: Privileges Required: HIGH; User Interaction: NONE; Attack Vector: NETWORK; Attack Complexity: HIGH
- Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
- Scope: CHANGED
- CWE: CWE-79 (Cross-site Scripting)
Technical Details
The vulnerability is a stored cross-site scripting issue caused by insufficient input sanitization and output escaping when handling the ohmem-message parameter. The CVE description indicates that data provided to this parameter can be stored and later rendered in pages without adequate escaping, allowing injected JavaScript to run in the browsers of users who access those pages.
The project’s repository references point to admin/views/admin.php (see references), indicating the vulnerable handling occurs in an administrative view. The problem exists because user-supplied content is not properly sanitized on input and not escaped on output, which allows script tags or event handlers to be persisted and executed in victim browsers.
Impact is limited by the requirement that an attacker must have Administrator-level privileges (or higher) to inject the payload. When executed in a victim’s browser, the script can interact with the page DOM and any client-side data available to that context; the CVSS metrics indicate low confidentiality and integrity impact and no availability impact.
How This Could Impact Your Website
Consider a scenario where a site owner, an internal staff editor, and an external contractor all have accounts on the same WordPress install. An attacker who has obtained or already holds an Administrator-level account could submit a malicious payload via the ohmem-message parameter. That payload could be stored and later executed when other users (including editors or contributors who view the affected admin pages or public pages where the message is rendered) access those pages.
Practical consequences include exposure of information available in the browser context, the ability to perform actions in the context of an authenticated user, and an increased risk of targeted phishing or social engineering relying on information collected via client-side scripts. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially administrator-level accounts and contributors with elevated permissions.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior, including unexpected changes to content or admin views.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/wp-content-permission/tags/1.2/admin/views/admin.php#L74
- https://plugins.trac.wordpress.org/browser/wp-content-permission/trunk/admin/views/admin.php#L74
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e44403cd-1cee-43c4-aabc-3eaad433c020?source=cve