Unauthorized Data Modification in SecuPress Free WordPress Security Plugin
CVE-2025-3452

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Secupress Free — WordPress Security
Vendor: CVE Published:; 29 April 2025

What is CVE-2025-3452?

The SecuPress Free plugin for WordPress is susceptible to unauthorized data modification owing to a lack of capability checks in the 'secupress_reinstall_plugins_admin_ajax_cb' function. This vulnerability affects all versions up to 2.3.9 and permits authenticated attackers with Subscriber-level access and higher to install arbitrary plugins, posing serious risks to site security. Administrators should review their installations and apply necessary updates to mitigate potential exploits.

Affected Version(s)

SecuPress Free — WordPress Security * <= 2.3.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/secupress/trun...

https://plugins.trac.wordpress.org/changeset/3283453/

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 29, 2025
Vulnerability Reserved
Apr 8, 2025

Credit

Michael Mazzolini