Description
The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to sensitive information exposure due to storage of exported CSV files in a publicly accessible directory with predictable filenames in all versions up to, and including, 4.9.2. This makes it possible for unauthenticated attackers to access sensitive user data including emails, IP addresses, usernames, roles, and location data by directly accessing the exported CSV file.
Published: 2025-12-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Apply Patch
AI Analysis

Impact

The plugin allows exporting data to CSV files that contain emails, IP addresses, usernames, role information, and location data. These files are stored in a publicly accessible directory using predictable filenames. An attacker who does not need authentication can download the CSV and gain sensitive user information, which can be used for phishing, credential harvesting, or other attacks.

Affected Systems

The vulnerability affects the WordPress plugin Secure Copy Content Protection and Content Locking, versions 4.9.2 and earlier. The plugin is distributed by ays-pro.

Risk and Exploitability

CVSS score of 5.3 indicates a medium severity vulnerability. The EPSS score of less than 1% shows that exploitation is considered unlikely at present. It is not listed in the CISA KEV catalog, so no confirmed widespread exploitation is known. However, because access to the CSV files is unauthenticated and the files are placed in a public folder, an attacker can obtain the data by simply visiting the file URL, without needing to exploit any code or perform further actions.

Generated by OpenCVE AI on April 21, 2026 at 17:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to version 4.9.3 or later to eliminate the insecure CSV export functionality.
  • Verify that the plugin’s export folder is outside the web root or protected by access controls such as .htaccess or similar.
  • If the plugin cannot be updated, disable or uninstall it, or modify the file permissions so that exported files are not publicly readable.

Generated by OpenCVE AI on April 21, 2026 at 17:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Ays-pro
Ays-pro secure Copy Content Protection And Content Locking
Wordpress
Wordpress wordpress
Vendors & Products Ays-pro
Ays-pro secure Copy Content Protection And Content Locking
Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to sensitive information exposure due to storage of exported CSV files in a publicly accessible directory with predictable filenames in all versions up to, and including, 4.9.2. This makes it possible for unauthenticated attackers to access sensitive user data including emails, IP addresses, usernames, roles, and location data by directly accessing the exported CSV file.
Title Secure Copy Content Protection and Content Locking <= 4.9.2 - Unauthenticated Sensitive Information Exposure via Exposed CSV Export File
Weaknesses CWE-552
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Ays-pro Secure Copy Content Protection And Content Locking
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:49.330Z

Reserved: 2025-12-10T13:08:38.289Z

Link: CVE-2025-14442

cve-icon Vulnrichment

Updated: 2025-12-12T14:42:16.421Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T12:15:46.377

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14442

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:30:37Z

Weaknesses