CVE-2026-1320 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 that affects the Secure Copy Content Protection and Content Locking plugin for WordPress, developed by ays-pro. This vulnerability exists in all versions up to and including 4.9.8. The root cause is insufficient input sanitization and output escaping of the 'X-Forwarded-For' HTTP header, which is commonly used to identify the originating IP address of a client connecting through a proxy or load balancer. Because the plugin improperly processes this header, an attacker can craft a malicious HTTP request with a specially crafted 'X-Forwarded-For' header containing arbitrary JavaScript code. This code is then stored persistently on the server and rendered in web pages viewed by other users. When a victim accesses a page containing the injected script, it executes in their browser context, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or deliver further malware. The vulnerability is exploitable remotely without any authentication or user interaction, increasing its risk profile. The CVSS 3.1 base score is 7.2, indicating high severity, with the vector AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N highlighting network attack vector, low attack complexity, no privileges or user interaction required, and a scope change affecting confidentiality and integrity but not availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability affects all installations using the vulnerable plugin versions, which are commonly deployed on WordPress sites for content protection and locking functionality.

The impact of CVE-2026-1320 is significant for organizations using the affected WordPress plugin. Successful exploitation can lead to the execution of arbitrary JavaScript in the context of users visiting the compromised site, enabling attackers to steal sensitive information such as session tokens, cookies, or personal data, thereby compromising user confidentiality. Attackers may also manipulate site content or perform unauthorized actions on behalf of users, affecting data integrity. Although availability is not directly impacted, the reputational damage and loss of user trust can be severe, especially for e-commerce, financial, or content-driven websites. The vulnerability's ease of exploitation without authentication or user interaction broadens the attack surface, making automated mass exploitation feasible. Organizations relying on this plugin may face increased risk of targeted attacks or widespread compromise, potentially leading to data breaches, regulatory penalties, and financial losses.

To mitigate CVE-2026-1320, organizations should immediately assess their WordPress environments for the presence of the Secure Copy Content Protection and Content Locking plugin and verify the version in use. Since no official patch is currently linked, administrators should consider the following specific actions: 1) Temporarily disable or uninstall the vulnerable plugin until a security update is available. 2) Implement web application firewall (WAF) rules to sanitize or block suspicious 'X-Forwarded-For' header values containing script tags or unusual characters. 3) Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of injected scripts. 4) Monitor web server and application logs for anomalous requests containing suspicious header values. 5) Educate site administrators and developers on secure coding practices, emphasizing proper input validation and output encoding. 6) Regularly update WordPress core and plugins to the latest versions once patches are released. 7) Consider using security plugins that detect and block XSS attempts. These targeted mitigations go beyond generic advice by focusing on header inspection, temporary plugin removal, and layered defenses to reduce risk until an official fix is available.