Description
The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.2. This is due to missing nonce validation on the 'ays_sccp_results_export_file' AJAX action. This makes it possible for unauthenticated attackers to export sensitive plugin data including email addresses, IP addresses, physical addresses, user IDs, and other user information via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The exported data is stored in a publicly accessible file, allowing attackers to receive the sensitive information even though they are not authenticated.
Published: 2025-12-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted Data Export via CSRF
Action: Immediate Patch
AI Analysis

Impact

The Secure Copy Content Protection and Content Locking plugin contains a missing nonce check on the ‘ays_sccp_results_export_file’ AJAX action, allowing attackers to exploit a cross‑site request forgery weakness. When a site administrator clicks a malicious link, the attacker can trigger a data export without authentication. The exported file contains email addresses, IP addresses, physical addresses, user IDs, and other sensitive information which is then stored in a publicly accessible location, leading to a confidentiality breach. The weakness is identified as CWE‑352.

Affected Systems

All installations of the Secure Copy Content Protection and Content Locking plugin produced by ays-pro that run WordPress plugin versions up to and including 4.9.2 are affected. Versions 4.9.3 and higher contain the fix, while the 4.8.7 release exhibits the same issue as part of the same code path.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate overall risk, and the EPSS score is below 1 %, suggesting the probability of exploitation remains low. The vulnerability is not listed in the CISA KEV catalog. Exploitability requires a forged request, which needs the cooperation of an authenticated site administrator who unknowingly performs the export action. Once triggered, the publicly available file delivers the sensitive data directly to the attacker, providing a direct avenue for information theft.

Generated by OpenCVE AI on April 21, 2026 at 17:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Secure Copy Content Protection and Content Locking plugin to version 4.9.3 or later to eliminate the missing nonce validation.
  • Restrict file permissions on the directory where exported data files are written so that they are not publicly readable by unauthorized users.
  • Revise the plugin’s export functionality to require authentication and a valid nonce for all AJAX actions, ensuring that CSRF cannot trigger data exports.

Generated by OpenCVE AI on April 21, 2026 at 17:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Ays-pro
Ays-pro secure Copy Content Protection And Content Locking
Wordpress
Wordpress wordpress
Vendors & Products Ays-pro
Ays-pro secure Copy Content Protection And Content Locking
Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.2. This is due to missing nonce validation on the 'ays_sccp_results_export_file' AJAX action. This makes it possible for unauthenticated attackers to export sensitive plugin data including email addresses, IP addresses, physical addresses, user IDs, and other user information via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The exported data is stored in a publicly accessible file, allowing attackers to receive the sensitive information even though they are not authenticated.
Title Secure Copy Content Protection and Content Locking <= 4.9.2 - Cross-Site Request Forgery to Data Export
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Ays-pro Secure Copy Content Protection And Content Locking
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:02:49.188Z

Reserved: 2025-12-05T20:38:26.784Z

Link: CVE-2025-14159

cve-icon Vulnrichment

Updated: 2025-12-12T14:41:28.031Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T12:15:46.220

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14159

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:30:37Z

Weaknesses