[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fgxszLNUJ8XlqWZjXl5iGF08ZndEUG4Mc8Pv8vLfG3ec":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-25335","secure-copy-content-protection-and-content-locking-missing-authorization-3","Secure Copy Content Protection and Content Locking \u003C= 5.0.0 - Missing Authorization","The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","secure-copy-content-protection",null,"\u003C=5.0.0","5.0.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-08 00:00:00","2026-05-04 15:43:37",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6ea4ad81-dba6-4055-b81c-682424a6ffd0?source=api-prod",86,[22,23,24,25,26,27,28],"README.txt","admin\u002Fclass-secure-copy-content-protection-admin.php","admin\u002Fjs\u002Fadmin.js","languages\u002Fsecure-copy-content-protection-en_US.po","languages\u002Fsecure-copy-content-protection-ru_RU.po","languages\u002Fsecure-copy-content-protection.pot","secure-copy-content-protection.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-25335 (Missing Authorization)\n\n## 1. Vulnerability Summary\nThe **Secure Copy Content Protection and Content Locking** plugin (\u003C= 5.0.0) is vulnerable to a **Missing Authorization** vulnerability. Specifically, the AJAX action `deactivate_sccp_option_sccp` lacks a capability check (`current_user_can`) and does not verify a security nonce. This allows any authenticated user, including those with **Subscriber-level** permissions, to perform unauthorized actions such as deleting plugin settings and data.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `deactivate_sccp_option_sccp`\n- **Method**: `POST`\n- **Authentication**: Required (Subscriber or higher)\n- **Parameters**: \n    - `action`: `deactivate_sccp_option_sccp`\n    - `upgrade_plugin`: `false` (Triggers data deletion)\n- **Preconditions**: The plugin must be installed and active.\n\n## 3. Code Flow\n1. **Frontend Trigger**: In `admin\u002Fjs\u002Fadmin.js`, when an admin attempts to deactivate the plugin, an AJAX request is triggered (lines 44-51).\n2. **AJAX Request**:\n   ```javascript\n   var data = {action: 'deactivate_sccp_option_sccp', upgrade_plugin: upgrade_plugin};\n   $.ajax({\n       url: sccp_admin_ajax.ajax_url, \u002F\u002F \u002Fwp-admin\u002Fadmin-ajax.php\n       method: 'post',\n       data: data,\n       ...\n   ```\n3. **Missing Nonce**: Unlike other actions in the same file (e.g., line 108), this specific action does not include a `_ajax_nonce` parameter.\n4. **Backend Handler**: The AJAX action `wp_ajax_deactivate_sccp_option_sccp` is registered in the plugin's admin class. Based on the vulnerability description and JS behavior, the PHP handler (likely named `deactivate_sccp_option_sccp` inside `Secure_Copy_Content_Protection_Admin`) executes the following logic without verifying if the user is an administrator:\n   - Checks `$_POST['upgrade_plugin']`.\n   - If `false`, it proceeds to delete plugin settings (e.g., `delete_option('ays_sccp_settings')`) or drop database tables.\n   - It returns a JSON success response.\n\n## 4. Nonce Acquisition Strategy\n**No Nonce is required** for the primary exploitation of `deactivate_sccp_option_sccp`. \nThe source code analysis of `admin\u002Fjs\u002Fadmin.js` confirms that the first AJAX call (line 46) sends only the `action` and `upgrade_plugin` parameters. If the PHP handler does not call `check_ajax_referer` or `wp_verify_nonce`, the request will be processed.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that a Subscriber can wipe the plugin's configuration.\n\n### Step-by-Step Plan:\n1. **Login**: Authenticate as a Subscriber user using the `http_request` tool to obtain session cookies.\n2. **Payload Construction**: Prepare a POST request to `admin-ajax.php`.\n3. **Execution**: Send the request with `action=deactivate_sccp_option_sccp` and `upgrade_plugin=false`.\n\n### HTTP Request (Playwright\u002Fhttp_request):\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nHost: localhost:8080\nContent-Type: application\u002Fx-www-form-urlencoded\nCookie: [Subscriber Cookies]\n\naction=deactivate_sccp_option_sccp&upgrade_plugin=false\n```\n\n## 6. Test Data Setup\n1. **Install Plugin**: Ensure `secure-copy-content-protection` version 5.0.0 is active.\n2. **Create User**: Create a Subscriber user:\n   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n3. **Configure Settings**: Set a dummy option that the plugin normally uses. Based on the source, `sccp_results_per_page` is a known option, but most settings likely reside in `ays_sccp_settings`:\n   `wp option update ays_sccp_settings '{\"notification_text\":\"Protected Content\"}'`\n   `wp option update sccp_","The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to unauthorized data deletion because the `deactivate_sccp_option_sccp` AJAX action fails to perform capability checks or nonce validation. This allows authenticated attackers with Subscriber-level access to wipe the plugin's configuration and database settings.","\u002F\u002F admin\u002Fclass-secure-copy-content-protection-admin.php around line 888\npublic function deactivate_sccp_option() {\t\t\n\n\tif( is_user_logged_in() ) {\n\t\t$request_value = esc_sql( sanitize_text_field( $_REQUEST['upgrade_plugin'] ) );\n\n---\n\n\u002F\u002F admin\u002Fjs\u002Fadmin.js line 46\nvar data = {action: 'deactivate_sccp_option_sccp', upgrade_plugin: upgrade_plugin};\n\nvar feedback_container = $(document).find('.ays-sccp-dialog-widget');\n\n$.ajax({\n    url: sccp_admin_ajax.ajax_url,\n    method: 'post',\n    dataType: 'json',\n    data: data,","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsecure-copy-content-protection\u002F5.0.0\u002Fadmin\u002Fclass-secure-copy-content-protection-admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsecure-copy-content-protection\u002F5.0.1\u002Fadmin\u002Fclass-secure-copy-content-protection-admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsecure-copy-content-protection\u002F5.0.0\u002Fadmin\u002Fclass-secure-copy-content-protection-admin.php\t2026-02-03 11:29:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsecure-copy-content-protection\u002F5.0.1\u002Fadmin\u002Fclass-secure-copy-content-protection-admin.php\t2026-02-11 08:19:54.000000000 +0000\n@@ -837,10 +837,14 @@\n \t\t\u002F*\n \t\t*  Documentation : https:\u002F\u002Fcodex.wordpress.org\u002FPlugin_API\u002FFilter_Reference\u002Fplugin_action_links_(plugin_file_name)\n \t\t*\u002F\n+\n+\n+        $sccp_ajax_deactivate_plugin_nonce = wp_create_nonce( 'sccp-ajax-deactivate-plugin-nonce' );\n+\n \t\t$settings_link = array(\n \t\t\t'\u003Ca href=\"' . admin_url('options-general.php?page=' . $this->plugin_name) . '\">' . __('Settings', 'secure-copy-content-protection') . '\u003C\u002Fa>',\n \t\t\t'\u003Ca href=\"https:\u002F\u002Fays-demo.com\u002Fsecure-copy-content-protection-free-demo\u002F\" target=\"_blank\">' . __('Demo', 'secure-copy-content-protection') . '\u003C\u002Fa>',\n-\t\t\t'\u003Ca href=\"https:\u002F\u002Fays-pro.com\u002Fwordpress\u002Fsecure-copy-content-protection?utm_source=dashboard-sccp&utm_medium=free-sccp&utm_campaign=buy-now-sccp\" class=\"ays-sccp-upgrade-plugin-btn\" target=\"_blank\" style=\"color:#01A32A; font-weight:bold;\">' . __('Upgrade 30% Sale', 'secure-copy-content-protection') . '\u003C\u002Fa>',\n+\t\t\t'\u003Ca href=\"https:\u002F\u002Fays-pro.com\u002Fwordpress\u002Fsecure-copy-content-protection?utm_source=dashboard-sccp&utm_medium=free-sccp&utm_campaign=buy-now-sccp\" class=\"ays-sccp-upgrade-plugin-btn\" target=\"_blank\" style=\"color:#01A32A; font-weight:bold;\">' . __('Upgrade 30% Sale', 'secure-copy-content-protection') . '\u003C\u002Fa>\n+            \u003Cinput type=\"hidden\" id=\"ays_sccp_ajax_deactivate_plugin_nonce\" name=\"ays_sccp_ajax_deactivate_plugin_nonce\" value=\"' . $sccp_ajax_deactivate_plugin_nonce .'\">',\n \t\t);\n \n \t\treturn array_merge($settings_link, $links);\n@@ -885,7 +889,20 @@\n \t\tinclude_once('partials\u002Fresults\u002Fsecure-copy-content-protection-results-display.php');\n     }\n \n-\tpublic function deactivate_sccp_option() {\t\t\n+\tpublic function deactivate_sccp_option() {\n+\n+        \u002F\u002F Run a security check.\n+        check_ajax_referer( 'sccp-ajax-deactivate-plugin-nonce', sanitize_key( $_REQUEST['_ajax_nonce'] ) );\n+\n+        \u002F\u002F Check for permissions.\n+        if ( ! current_user_can( 'manage_options' ) ) {\n+            ob_end_clean();\n+            $ob_get_clean = ob_get_clean();\n+            echo json_encode(array(\n+                'option' => ''\n+            ));\n+            wp_die();\n+        }\n \n \t\tif( is_user_logged_in() ) {\n             $request_value = esc_sql( sanitize_text_field( $_REQUEST['upgrade_plugin'] ) );","To exploit this vulnerability, an attacker needs to be authenticated to the WordPress site (e.g., as a Subscriber). The attacker can then send a crafted POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the parameter `action` set to `deactivate_sccp_option_sccp`. By setting the `upgrade_plugin` parameter to `false`, the plugin's backend logic will proceed to delete its configuration options and settings from the database without any authorization check (like `current_user_can('manage_options')`) or CSRF protection (nonce check).","gemini-3-flash-preview","2026-05-04 20:08:56","2026-05-04 20:09:51",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","5.0.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsecure-copy-content-protection\u002Ftags\u002F5.0.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsecure-copy-content-protection.5.0.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsecure-copy-content-protection\u002Ftags\u002F5.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsecure-copy-content-protection.5.0.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsecure-copy-content-protection\u002Ftags"]