CVE-2026-4025

Name of the Vulnerable Software and Affected Versions PrivateContent Free versions up to and including 1.2.0

Description The PrivateContent Free plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'align' shortcode attribute within the [pc-login-form] shortcode. This occurs due to inadequate input sanitization and output escaping on the align attribute. The attribute value is passed from the shortcode through the pc login form() function to the pc static::form align() function, where it is directly added to an HTML class attribute without proper escaping. This allows authenticated attackers with Contributor-level access or higher to inject malicious web scripts into pages, which will execute when a user visits the affected page.

Recommendations Update PrivateContent Free to a version later than 1.2.0.