{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14864", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-18T01:15:36.057Z", "datePublished": "2026-02-19T04:36:18.706Z", "dateUpdated": "2026-04-08T17:06:29.314Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:29.314Z"}, "affected": [{"vendor": "virusdie", "product": "Virusdie \u2013 One-click website security", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Virusdie - One-click website security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.7. This is due to missing capability checks on the `vd_get_apikey` function which is hooked to `wp_ajax_virusdie_apikey`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve the site's Virusdie API key, which could be used to access the site owner's Virusdie account and potentially compromise site security."}], "title": "Virusdie <= 1.1.7 - Missing Authorization to Authenticated (Subscriber+) API Key Disclosure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8ef2e0b1-52ef-4f70-9e95-d010a586d060?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/virusdie/trunk/inc/class-virusdie.php#L75"}, {"url": "https://plugins.trac.wordpress.org/browser/virusdie/trunk/inc/tools/class-virusdie-behavior.php#L240"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3450727%40virusdie&new=3450727%40virusdie&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Sushi Com Abacate"}], "timeline": [{"time": "2026-02-18T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:09:07.048518Z", "id": "CVE-2025-14864", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:09:20.114Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14864", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T21:09:07.048518Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:09:15.692Z"}}], "cna": {"title": "Virusdie <= 1.1.7 - Missing Authorization to Authenticated (Subscriber+) API Key Disclosure", "credits": [{"lang": "en", "type": "finder", "value": "Sushi Com Abacate"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "virusdie", "product": "Virusdie \u2013 One-click website security", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.1.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-18T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8ef2e0b1-52ef-4f70-9e95-d010a586d060?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/virusdie/trunk/inc/class-virusdie.php#L75"}, {"url": "https://plugins.trac.wordpress.org/browser/virusdie/trunk/inc/tools/class-virusdie-behavior.php#L240"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3450727%40virusdie&new=3450727%40virusdie&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Virusdie - One-click website security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.7. This is due to missing capability checks on the `vd_get_apikey` function which is hooked to `wp_ajax_virusdie_apikey`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve the site's Virusdie API key, which could be used to access the site owner's Virusdie account and potentially compromise site security."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-19T04:36:18.706Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14864", "state": "PUBLISHED", "dateUpdated": "2026-02-19T21:09:20.114Z", "dateReserved": "2025-12-18T01:15:36.057Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-19T04:36:18.706Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Virusdie - One-click website security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.7. This is due to missing capability checks on the `vd_get_apikey` function which is hooked to `wp_ajax_virusdie_apikey`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve the site's Virusdie API key, which could be used to access the site owner's Virusdie account and potentially compromise site security."}, {"lang": "es", "value": "El plugin de seguridad de sitios web de un solo clic Virusdie para WordPress es vulnerable a la Exposici\u00f3n de Informaci\u00f3n Sensible en todas las versiones hasta la 1.1.7, inclusive. Esto se debe a la falta de comprobaciones de capacidad en la funci\u00f3n 'vd_get_apikey', que est\u00e1 enganchada a 'wp_ajax_virusdie_apikey'. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, recuperen la clave API de Virusdie del sitio, que podr\u00eda usarse para acceder a la cuenta de Virusdie del propietario del sitio y potencialmente comprometer la seguridad del sitio."}], "id": "CVE-2025-14864", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-19T07:17:35.970", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/virusdie/trunk/inc/class-virusdie.php#L75"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/virusdie/trunk/inc/tools/class-virusdie-behavior.php#L240"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3450727%40virusdie&new=3450727%40virusdie&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8ef2e0b1-52ef-4f70-9e95-d010a586d060?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Virusdie \u2013 One-click website security", "source": "cna", "vendor": "virusdie"}, "product": "virusdie_\u2013_one-click_website_security", "vendor": "virusdie"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-22T03:43:29.313856+00:00", "value": {"mitigation_remediation": ["Upgrade the Virusdie plugin to version 1.1.8 or later, which includes the necessary capability check for the API key endpoint.", "Add a temporary code snippet that blocks the wp_ajax_virusdie_apikey endpoint for all users except Administrators, preventing unauthorized API key requests until the official patch is applied.", "Review user accounts to ensure Subscriber-level access is limited to essential roles; remove or downgrade accounts that do not require Subscriber permissions."], "summary": {"action": "Apply Patch", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "This vulnerability affects all installations of the Virusdie WordPress plugin up to and including version 1.1.7. Users running Virusdie 1.1.7 or older are at risk; newer releases have patched the missing authorization check.", "description_and_impact": "The Virusdie \u2013 One-click website security plugin for WordPress contains a missing capability check on the vd_get_apikey function, which is exposed via the wp_ajax_virusdie_apikey AJAX endpoint. Authenticated attackers with Subscriber-level permissions or higher can invoke this endpoint and receive the site's Virusdie API key. The exposed API key could allow an attacker to access the site owner's Virusdie account and potentially compromise site security, exposing sensitive configuration and security data.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate impact, while the EPSS score of less than 1% suggests a very low exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog. Attackers must authenticate to the WordPress site with a Subscriber role or higher and then perform an authenticated AJAX request to the wp_ajax_virusdie_apikey endpoint to retrieve the API key. No elevated privileges or remote code execution are required."}}}}, "created": "2026-02-19T10:07:03.405204+00:00", "updated": "2026-04-22T03:45:06.989390+00:00", "vendors": ["virusdie", "virusdie$PRODUCT$virusdie_\u2013_one-click_website_security", "wordpress", "wordpress$PRODUCT$wordpress"]}