{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3452", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-08T15:24:57.130Z", "datePublished": "2025-04-29T08:21:44.044Z", "dateUpdated": "2026-04-08T17:27:01.517Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:27:01.517Z"}, "affected": [{"vendor": "secupress", "product": "SecuPress with Simple SSL \u2013 Simple and Performant Security", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.3.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SecuPress Free \u2014 WordPress Security plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'secupress_reinstall_plugins_admin_ajax_cb' function in all versions up to, and including, 2.3.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins."}], "title": "SecuPress Free <= 2.3.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9125873-aedd-4334-b8e0-74b67d301904?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/secupress/trunk/free/modules/plugins-themes/tools.php#L686"}, {"url": "https://plugins.trac.wordpress.org/changeset/3283453/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "timeline": [{"time": "2025-04-28T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-29T13:26:05.353683Z", "id": "CVE-2025-3452", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-29T13:26:15.223Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3452", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-29T13:26:05.353683Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-29T13:26:10.267Z"}}], "cna": {"title": "SecuPress Free <= 2.3.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation", "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "secupress", "product": "SecuPress Free \u2014 WordPress Security", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.3.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-28T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9125873-aedd-4334-b8e0-74b67d301904?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/secupress/trunk/free/modules/plugins-themes/tools.php#L686"}, {"url": "https://plugins.trac.wordpress.org/changeset/3283453/"}], "descriptions": [{"lang": "en", "value": "The SecuPress Free \u2014 WordPress Security plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'secupress_reinstall_plugins_admin_ajax_cb' function in all versions up to, and including, 2.3.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-04-29T08:21:44.044Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3452", "state": "PUBLISHED", "dateUpdated": "2025-04-29T13:26:15.223Z", "dateReserved": "2025-04-08T15:24:57.130Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-29T08:21:44.044Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:secupress:secupress:*:*:*:*:free:wordpress:*:*", "matchCriteriaId": "B8CAA79A-C2F9-4484-B8E7-2F8B971D863E", "versionEndExcluding": "2.3.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The SecuPress Free \u2014 WordPress Security plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'secupress_reinstall_plugins_admin_ajax_cb' function in all versions up to, and including, 2.3.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins."}, {"lang": "es", "value": "El complemento SecuPress Free \u2014 WordPress Security para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a la falta de comprobaci\u00f3n de la funci\u00f3n 'secupress_reinstall_plugins_admin_ajax_cb' en todas las versiones hasta la 2.3.9 incluida. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, instalen complementos arbitrarios."}], "id": "CVE-2025-3452", "lastModified": "2025-05-06T15:35:58.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-04-29T09:15:16.940", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/secupress/trunk/free/modules/plugins-themes/tools.php#L686"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3283453/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9125873-aedd-4334-b8e0-74b67d301904?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T23:04:43.196264+00:00", "value": {"mitigation_remediation": ["Upgrade the SecuPress plugin to the latest release (2.4 or later) to include the missing capability check.", "If an upgrade is not immediately feasible, modify the plugin or use a custom code snippet to disable or protect the 'secupress_reinstall_plugins_admin_ajax_cb' AJAX endpoint for Subscriber and lower roles, ensuring only administrators can trigger it.", "Regularly audit the plugin directory for unexpected or newly added plugins and configure logging or monitoring to detect anomalous installation activity."], "summary": {"action": "Apply Patch", "impact": "Unauthorized arbitrary plugin installation"}, "threat_synthesis": {"affected_systems": "The issue affects the free edition of the SecuPress WordPress Security plugin, specifically all releases up to and including version 2.3.9. Deployments hosting the plugin on any WordPress installation that allows Subscriber or higher roles are vulnerable. The observable product is SecuPress with Simple SSL \u2013 Simple and Performant Security, as documented in the corresponding CPE string.", "description_and_impact": "The vulnerability resides in the function 'secupress_reinstall_plugins_admin_ajax_cb' where a missing capability check allows any authenticated user with Subscriber-level access or higher to invoke this AJAX endpoint and install any WordPress plugin of their choice. This bypasses the plugin's intended restriction and effectively grants an attacker the ability to add arbitrary code to the site, creating a path to code execution, privilege escalation, or other malicious activity. The CVSS score of 4.3 indicates a moderate rating, reflecting the constraint that an attacker must already be authenticated.", "risk_and_exploitability": "With an EPSS score of less than 1%, the overall likelihood of exploitation in the wild is low, and the vulnerability has not yet been reported in the CISA KEV catalog. Nevertheless, the attack vector is an application-layer web request that requires authenticated access to a WordPress installation. An attacker must possess a user account with Subscriber or higher privileges, after which they can trigger the unauthenticated installation endpoint to introduce malicious plugins."}}}}, "created": "2026-04-20T23:15:06.302623+00:00", "updated": "2026-04-20T23:15:06.302632+00:00", "vendors": []}