{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14159", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-05T20:38:26.784Z", "datePublished": "2025-12-12T11:15:49.854Z", "dateUpdated": "2026-04-08T17:02:49.188Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:49.188Z"}, "affected": [{"vendor": "ays-pro", "product": "Secure Copy Content Protection and Content Locking", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.9.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.2. This is due to missing nonce validation on the 'ays_sccp_results_export_file' AJAX action. This makes it possible for unauthenticated attackers to export sensitive plugin data including email addresses, IP addresses, physical addresses, user IDs, and other user information via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The exported data is stored in a publicly accessible file, allowing attackers to receive the sensitive information even though they are not authenticated."}], "title": "Secure Copy Content Protection and Content Locking <= 4.9.2 - Cross-Site Request Forgery to Data Export", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7cffe04e-a2e5-4752-a5c1-7c95f0007e0b?source=cve"}, {"url": "https://wordpress.org/plugins/secure-copy-content-protection/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/secure-copy-content-protection/tags/4.8.7/admin/class-secure-copy-content-protection-admin.php#L645"}, {"url": "https://plugins.trac.wordpress.org/browser/secure-copy-content-protection/tags/4.9.3/admin/class-secure-copy-content-protection-admin.php#L696"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Deadbee"}], "timeline": [{"time": "2025-12-05T20:53:35.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-11T21:20:54.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-12T14:41:21.901650Z", "id": "CVE-2025-14159", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T14:41:32.984Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14159", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-12T14:41:21.901650Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T14:41:28.031Z"}}], "cna": {"title": "Secure Copy Content Protection and Content Locking <= 4.9.2 - Cross-Site Request Forgery to Data Export", "credits": [{"lang": "en", "type": "finder", "value": "Deadbee"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "ays-pro", "product": "Secure Copy Content Protection and Content Locking", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.9.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-05T20:53:35.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-11T21:20:54.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7cffe04e-a2e5-4752-a5c1-7c95f0007e0b?source=cve"}, {"url": "https://wordpress.org/plugins/secure-copy-content-protection/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/secure-copy-content-protection/tags/4.8.7/admin/class-secure-copy-content-protection-admin.php#L645"}, {"url": "https://plugins.trac.wordpress.org/browser/secure-copy-content-protection/tags/4.9.3/admin/class-secure-copy-content-protection-admin.php#L696"}], "descriptions": [{"lang": "en", "value": "The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.2. This is due to missing nonce validation on the 'ays_sccp_results_export_file' AJAX action. This makes it possible for unauthenticated attackers to export sensitive plugin data including email addresses, IP addresses, physical addresses, user IDs, and other user information via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The exported data is stored in a publicly accessible file, allowing attackers to receive the sensitive information even though they are not authenticated."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:49.188Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14159", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:02:49.188Z", "dateReserved": "2025-12-05T20:38:26.784Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T11:15:49.854Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.2. This is due to missing nonce validation on the 'ays_sccp_results_export_file' AJAX action. This makes it possible for unauthenticated attackers to export sensitive plugin data including email addresses, IP addresses, physical addresses, user IDs, and other user information via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The exported data is stored in a publicly accessible file, allowing attackers to receive the sensitive information even though they are not authenticated."}], "id": "CVE-2025-14159", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T12:15:46.220", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/secure-copy-content-protection/tags/4.8.7/admin/class-secure-copy-content-protection-admin.php#L645"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/secure-copy-content-protection/tags/4.9.3/admin/class-secure-copy-content-protection-admin.php#L696"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/secure-copy-content-protection/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7cffe04e-a2e5-4752-a5c1-7c95f0007e0b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:19:30.880884+00:00", "value": {"mitigation_remediation": ["Update the Secure Copy Content Protection and Content Locking plugin to version 4.9.3 or later to eliminate the missing nonce validation.", "Restrict file permissions on the directory where exported data files are written so that they are not publicly readable by unauthorized users.", "Revise the plugin\u2019s export functionality to require authentication and a valid nonce for all AJAX actions, ensuring that CSRF cannot trigger data exports."], "summary": {"action": "Immediate Patch", "impact": "Unrestricted Data Export via CSRF"}, "threat_synthesis": {"affected_systems": "All installations of the Secure Copy Content Protection and Content Locking plugin produced by ays-pro that run WordPress plugin versions up to and including 4.9.2 are affected. Versions 4.9.3 and higher contain the fix, while the 4.8.7 release exhibits the same issue as part of the same code path.", "description_and_impact": "The Secure Copy Content Protection and Content Locking plugin contains a missing nonce check on the \u2018ays_sccp_results_export_file\u2019 AJAX action, allowing attackers to exploit a cross\u2011site request forgery weakness. When a site administrator clicks a malicious link, the attacker can trigger a data export without authentication. The exported file contains email addresses, IP addresses, physical addresses, user IDs, and other sensitive information which is then stored in a publicly accessible location, leading to a confidentiality breach. The weakness is identified as CWE\u2011352.", "risk_and_exploitability": "The CVSS score is 4.3, indicating moderate overall risk, and the EPSS score is below 1\u202f%, suggesting the probability of exploitation remains low. The vulnerability is not listed in the CISA KEV catalog. Exploitability requires a forged request, which needs the cooperation of an authenticated site administrator who unknowingly performs the export action. Once triggered, the publicly available file delivers the sensitive data directly to the attacker, providing a direct avenue for information theft."}}}}, "created": "2025-12-14T21:16:29.931104+00:00", "updated": "2026-04-21T17:30:37.686499+00:00", "vendors": ["ays-pro", "ays-pro$PRODUCT$secure_copy_content_protection_and_content_locking", "wordpress", "wordpress$PRODUCT$wordpress"]}