CVE-2026-57692: WordPress PrivateContent plugin <= 9.9.2 - Privilege Escalation vulnerability
Incorrect Privilege Assignment vulnerability in LCweb PrivateContent allows Privilege Escalation. This issue affects PrivateContent: from n/a through 9.9.2.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An incorrect privilege assignment vulnerability in the LCweb PrivateContent WordPress plugin (versions up to and including 9.9.2) allows unauthenticated attackers to escalate their privileges over the network. No login or user interaction is required to trigger the flaw. Successful exploitation gives an attacker full control over confidentiality, integrity, and availability of the affected WordPress installation. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images and pipeline builds, including custom-built images that bundle the PrivateContent plugin. Any image at or below version 9.9.2 of PrivateContent is flagged automatically.
AvailableHarborGuard surfaces this CVE with its CVSS v3.1 score of 9.8 (Critical) and weights it against each customer environment's compliance policy to determine urgency and routing. Findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableNo fix version has been published upstream for this CVE. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress installation over the network; no local or physical access is needed.
- AuthenticationNot required
No account or session credentials are needed; the exploit is available to any unauthenticated HTTP client.
- Victim interactionNot required
No user action is required; the attacker triggers the vulnerability entirely on their own.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special conditions, race windows, or environmental dependencies on the attacker.
Blast Radius
- A successful attacker gains an elevated or administrative WordPress role, allowing them to read any stored content, user records, and plugin configuration data.
- The attacker can modify or delete posts, pages, user accounts, plugin settings, and other persisted site data.
- With administrative access the attacker can install arbitrary WordPress plugins or themes, enabling remote code execution on the underlying server.
- The attacker can disable or corrupt the site, causing a denial of service for end users and administrators.
How HarborGuard Handles This
Available on HarborGuard: this CVE is monitored continuously against all images in connected customer registries and CI pipelines. Because no upstream fix exists as of the publication date, HarborGuard re-checks the advisory on every ingest cycle. The moment LCweb publishes a patched release, a rebuilt image at that version becomes available. For customers who opt into auto-remediation, HarborGuard will initiate a rebuild, run the configured regression test suite, and open a pull request against affected workloads without requiring manual steps. In the interim, compensating controls worth evaluating include network-policy rules that restrict public access to the WordPress admin endpoint, web application firewall rules targeting the specific privilege-assignment request path, and temporary deactivation of the PrivateContent plugin if the feature is non-essential to operations. Where compliance policy permits, HarborGuard can surface these compensating-control recommendations directly in the finding detail.
- LCweb / PrivateContent≤ 9.9.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H