Secure Copy Content Protection and Content Locking <= 5.0.0 - Missing Authorization
Description
The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=5.0.0What Changed in the Fix
Changes introduced in v5.0.1
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-25335 (Missing Authorization) ## 1. Vulnerability Summary The **Secure Copy Content Protection and Content Locking** plugin (<= 5.0.0) is vulnerable to a **Missing Authorization** vulnerability. Specifically, the AJAX action `deactivate_sccp_option_sccp` lacks…
Show full research plan
Exploitation Research Plan: CVE-2026-25335 (Missing Authorization)
1. Vulnerability Summary
The Secure Copy Content Protection and Content Locking plugin (<= 5.0.0) is vulnerable to a Missing Authorization vulnerability. Specifically, the AJAX action deactivate_sccp_option_sccp lacks a capability check (current_user_can) and does not verify a security nonce. This allows any authenticated user, including those with Subscriber-level permissions, to perform unauthorized actions such as deleting plugin settings and data.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
deactivate_sccp_option_sccp - Method:
POST - Authentication: Required (Subscriber or higher)
- Parameters:
action:deactivate_sccp_option_sccpupgrade_plugin:false(Triggers data deletion)
- Preconditions: The plugin must be installed and active.
3. Code Flow
- Frontend Trigger: In
admin/js/admin.js, when an admin attempts to deactivate the plugin, an AJAX request is triggered (lines 44-51). - AJAX Request:
var data = {action: 'deactivate_sccp_option_sccp', upgrade_plugin: upgrade_plugin}; $.ajax({ url: sccp_admin_ajax.ajax_url, // /wp-admin/admin-ajax.php method: 'post', data: data, ... - Missing Nonce: Unlike other actions in the same file (e.g., line 108), this specific action does not include a
_ajax_nonceparameter. - Backend Handler: The AJAX action
wp_ajax_deactivate_sccp_option_sccpis registered in the plugin's admin class. Based on the vulnerability description and JS behavior, the PHP handler (likely nameddeactivate_sccp_option_sccpinsideSecure_Copy_Content_Protection_Admin) executes the following logic without verifying if the user is an administrator:- Checks
$_POST['upgrade_plugin']. - If
false, it proceeds to delete plugin settings (e.g.,delete_option('ays_sccp_settings')) or drop database tables. - It returns a JSON success response.
- Checks
4. Nonce Acquisition Strategy
No Nonce is required for the primary exploitation of deactivate_sccp_option_sccp.
The source code analysis of admin/js/admin.js confirms that the first AJAX call (line 46) sends only the action and upgrade_plugin parameters. If the PHP handler does not call check_ajax_referer or wp_verify_nonce, the request will be processed.
5. Exploitation Strategy
The goal is to demonstrate that a Subscriber can wipe the plugin's configuration.
Step-by-Step Plan:
- Login: Authenticate as a Subscriber user using the
http_requesttool to obtain session cookies. - Payload Construction: Prepare a POST request to
admin-ajax.php. - Execution: Send the request with
action=deactivate_sccp_option_sccpandupgrade_plugin=false.
HTTP Request (Playwright/http_request):
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded
Cookie: [Subscriber Cookies]
action=deactivate_sccp_option_sccp&upgrade_plugin=false
6. Test Data Setup
- Install Plugin: Ensure
secure-copy-content-protectionversion 5.0.0 is active. - Create User: Create a Subscriber user:
wp user create attacker attacker@example.com --role=subscriber --user_pass=password - Configure Settings: Set a dummy option that the plugin normally uses. Based on the source,
sccp_results_per_pageis a known option, but most settings likely reside inays_sccp_settings:wp option update ays_sccp_settings '{"notification_text":"Protected Content"}'
`wp option update sccp_
Summary
The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to unauthorized data deletion because the `deactivate_sccp_option_sccp` AJAX action fails to perform capability checks or nonce validation. This allows authenticated attackers with Subscriber-level access to wipe the plugin's configuration and database settings.
Vulnerable Code
// admin/class-secure-copy-content-protection-admin.php around line 888 public function deactivate_sccp_option() { if( is_user_logged_in() ) { $request_value = esc_sql( sanitize_text_field( $_REQUEST['upgrade_plugin'] ) ); --- // admin/js/admin.js line 46 var data = {action: 'deactivate_sccp_option_sccp', upgrade_plugin: upgrade_plugin}; var feedback_container = $(document).find('.ays-sccp-dialog-widget'); $.ajax({ url: sccp_admin_ajax.ajax_url, method: 'post', dataType: 'json', data: data,
Security Fix
@@ -837,10 +837,14 @@ /* * Documentation : https://codex.wordpress.org/Plugin_API/Filter_Reference/plugin_action_links_(plugin_file_name) */ + + + $sccp_ajax_deactivate_plugin_nonce = wp_create_nonce( 'sccp-ajax-deactivate-plugin-nonce' ); + $settings_link = array( '<a href="' . admin_url('options-general.php?page=' . $this->plugin_name) . '">' . __('Settings', 'secure-copy-content-protection') . '</a>', '<a href="https://ays-demo.com/secure-copy-content-protection-free-demo/" target="_blank">' . __('Demo', 'secure-copy-content-protection') . '</a>', - '<a href="https://ays-pro.com/wordpress/secure-copy-content-protection?utm_source=dashboard-sccp&utm_medium=free-sccp&utm_campaign=buy-now-sccp" class="ays-sccp-upgrade-plugin-btn" target="_blank" style="color:#01A32A; font-weight:bold;">' . __('Upgrade 30% Sale', 'secure-copy-content-protection') . '</a>', + '<a href="https://ays-pro.com/wordpress/secure-copy-content-protection?utm_source=dashboard-sccp&utm_medium=free-sccp&utm_campaign=buy-now-sccp" class="ays-sccp-upgrade-plugin-btn" target="_blank" style="color:#01A32A; font-weight:bold;">' . __('Upgrade 30% Sale', 'secure-copy-content-protection') . '</a> + <input type="hidden" id="ays_sccp_ajax_deactivate_plugin_nonce" name="ays_sccp_ajax_deactivate_plugin_nonce" value="' . $sccp_ajax_deactivate_plugin_nonce .'">', ); return array_merge($settings_link, $links); @@ -885,7 +889,20 @@ include_once('partials/results/secure-copy-content-protection-results-display.php'); } - public function deactivate_sccp_option() { + public function deactivate_sccp_option() { + + // Run a security check. + check_ajax_referer( 'sccp-ajax-deactivate-plugin-nonce', sanitize_key( $_REQUEST['_ajax_nonce'] ) ); + + // Check for permissions. + if ( ! current_user_can( 'manage_options' ) ) { + ob_end_clean(); + $ob_get_clean = ob_get_clean(); + echo json_encode(array( + 'option' => '' + )); + wp_die(); + } if( is_user_logged_in() ) { $request_value = esc_sql( sanitize_text_field( $_REQUEST['upgrade_plugin'] ) );
Exploit Outline
To exploit this vulnerability, an attacker needs to be authenticated to the WordPress site (e.g., as a Subscriber). The attacker can then send a crafted POST request to `/wp-admin/admin-ajax.php` with the parameter `action` set to `deactivate_sccp_option_sccp`. By setting the `upgrade_plugin` parameter to `false`, the plugin's backend logic will proceed to delete its configuration options and settings from the database without any authorization check (like `current_user_can('manage_options')`) or CSRF protection (nonce check).
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.