Description
The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'secupress_reinstall_plugins_admin_ajax_cb' function in all versions up to, and including, 2.3.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins.
Published: 2025-04-29
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized arbitrary plugin installation
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the function 'secupress_reinstall_plugins_admin_ajax_cb' where a missing capability check allows any authenticated user with Subscriber-level access or higher to invoke this AJAX endpoint and install any WordPress plugin of their choice. This bypasses the plugin's intended restriction and effectively grants an attacker the ability to add arbitrary code to the site, creating a path to code execution, privilege escalation, or other malicious activity. The CVSS score of 4.3 indicates a moderate rating, reflecting the constraint that an attacker must already be authenticated.

Affected Systems

The issue affects the free edition of the SecuPress WordPress Security plugin, specifically all releases up to and including version 2.3.9. Deployments hosting the plugin on any WordPress installation that allows Subscriber or higher roles are vulnerable. The observable product is SecuPress with Simple SSL – Simple and Performant Security, as documented in the corresponding CPE string.

Risk and Exploitability

With an EPSS score of less than 1%, the overall likelihood of exploitation in the wild is low, and the vulnerability has not yet been reported in the CISA KEV catalog. Nevertheless, the attack vector is an application-layer web request that requires authenticated access to a WordPress installation. An attacker must possess a user account with Subscriber or higher privileges, after which they can trigger the unauthenticated installation endpoint to introduce malicious plugins.

Generated by OpenCVE AI on April 20, 2026 at 23:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SecuPress plugin to the latest release (2.4 or later) to include the missing capability check.
  • If an upgrade is not immediately feasible, modify the plugin or use a custom code snippet to disable or protect the 'secupress_reinstall_plugins_admin_ajax_cb' AJAX endpoint for Subscriber and lower roles, ensuring only administrators can trigger it.
  • Regularly audit the plugin directory for unexpected or newly added plugins and configure logging or monitoring to detect anomalous installation activity.

Generated by OpenCVE AI on April 20, 2026 at 23:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15050 The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'secupress_reinstall_plugins_admin_ajax_cb' function in all versions up to, and including, 2.3.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins.
History

Tue, 06 May 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Secupress
Secupress secupress
CPEs cpe:2.3:a:secupress:secupress:*:*:*:*:free:wordpress:*:*
Vendors & Products Secupress
Secupress secupress

Tue, 29 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 29 Apr 2025 08:30:00 +0000

Type Values Removed Values Added
Description The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'secupress_reinstall_plugins_admin_ajax_cb' function in all versions up to, and including, 2.3.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins.
Title SecuPress Free <= 2.3.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Secupress Secupress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:27:01.517Z

Reserved: 2025-04-08T15:24:57.130Z

Link: CVE-2025-3452

cve-icon Vulnrichment

Updated: 2025-04-29T13:26:10.267Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-29T09:15:16.940

Modified: 2025-05-06T15:35:58.647

Link: CVE-2025-3452

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:15:06Z

Weaknesses