Volerion logoVolerion
Volerion logoVolerion

SecuPress Free WordPress Security Plugin Missing Authorization Vulnerability Allowing Arbitrary Plugin Installation

Vulnerability

A vulnerability exists in the SecuPress Free WordPress Security plugin, in all versions through 2.3.9, due to a lack of proper capability checks in the 'secupress_reinstall_plugins_admin_ajax_cb' function. This flaw enables authenticated attackers with Subscriber-level access or higher to install arbitrary plugins on the WordPress site.

Impact

Exploitation of this vulnerability allows for unauthorized installation of plugins, which could lead to further security risks, such as the introduction of malicious code or the creation of backdoors on the affected site.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send an AJAX request to the 'secupress_reinstall_plugins' action. The request can include a list of plugins to be reinstalled. The absence of a proper authorization check allows the user to install plugins that may not be authorized or desired.

Remediation

Users are advised to update the SecuPress Free WordPress Security plugin to version 2.3.10 or a newer patched version.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
2.5
exploitability
6.4
remediation
7.7
relevance
0.0
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.