CVE-2025-68576

Virusdie <= 1.1.6 - Authenticated (Subscriber+) Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.1.7
Patched in
17d
Time to patch

Description

The Virusdie – One-click website security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=1.1.6
PublishedDecember 21, 2025
Last updatedJanuary 6, 2026
Affected pluginvirusdie

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan outlines the process for investigating and exploiting **CVE-2025-68576** in the Virusdie plugin. Since specific source code was not provided, this plan relies on the vulnerability description and common patterns in the Virusdie plugin architecture. --- ### 1. Vulnerability Summa…

Show full research plan

This research plan outlines the process for investigating and exploiting CVE-2025-68576 in the Virusdie plugin. Since specific source code was not provided, this plan relies on the vulnerability description and common patterns in the Virusdie plugin architecture.


1. Vulnerability Summary

The Virusdie plugin (<= 1.1.6) contains a sensitive information exposure vulnerability. It allows authenticated users with Subscriber-level permissions to access data that should be restricted to Administrators. This typically occurs because an AJAX handler or REST API endpoint performs a nonce check but fails to perform a capability check (e.g., current_user_can('manage_options')), or uses a capability that is too low.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php (inferred) or a REST API route under wp-json/virusdie/v1/ (inferred).
  • Vulnerable Action: Likely an AJAX action registered via wp_ajax_ (e.g., virusdie_get_data, virusdie_get_settings, or virusdie_account_info).
  • Authentication: Subscriber-level user required.
  • Payload: An HTTP POST request to the AJAX endpoint with the correct action and nonce parameters.
  • Exposed Data: Likely includes the Virusdie API Key, Site Unique ID, or internal plugin configuration state.

3. Code Flow (Inferred)

  1. Entry Point: An AJAX request is sent to admin-ajax.php with action=virusdie_....
  2. Hook Registration: The plugin registers the action:
    add_action('wp_ajax_virusdie_get_settings', 'virusdie_get_settings_callback');
  3. Vulnerable Function: The callback function (e.g., virusdie_get_settings_callback) is executed.
  4. Missing Check: The function likely calls check_ajax_referer('virusdie_nonce', 'nonce') but lacks if (!current_user_can('manage_options')) wp_die();.
  5. Information Leak: The function retrieves options using get_option('virusdie_api_key') and returns them in a JSON response via wp_send_json_success().

4. Nonce Acquisition Strategy

The Virusdie plugin enqueues its settings scripts in the WordPress admin area. Since Subscribers can access the wp-admin/profile.php or the main dashboard, they may be able to see the localized scripts.

  1. Identify Shortcode/Page: Virusdie usually enqueues scripts on its own settings page. However, nonces are often localized globally in the admin area.
  2. JS Variable Identification (Inferred): Look for wp_localize_script in the plugin source (likely in a file like virusdie.php or includes/class-virusdie-admin.php).
    • Expected JS Object: vd_data or virusdie_obj.
    • Expected Nonce Key: nonce or ajax_nonce.
  3. Strategy:
    • Log in as a Subscriber.
    • Navigate to /wp-admin/index.php.
    • Use browser_eval to extract the nonce: browser_eval("window.vd_data?.nonce").

5. Test Data Setup

  1. Plugin Installation: Install and activate Virusdie version 1.1.6.
  2. Configuration: Configure the plugin with a dummy API Key to ensure there is sensitive data to expose.
    wp option update virusdie_api_key "VULNERABLE-API-KEY-12345"
    wp option update virusdie_unique_id "SITE-ID-999"
    
  3. User Creation: Create a Subscriber-level user.
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
    

6. Exploitation Strategy

Step 1: Discover the exact AJAX action

Since the source is not provided, the agent must first find the vulnerable action name.

grep -rn "wp_ajax_" /var/www/html/wp-content/plugins/virusdie/

Look for actions that don't have a corresponding wp_ajax_nopriv_ (as the vulnerability is authenticated) and perform "get" operations.

Step 2: Acquire the Nonce

Login as the Subscriber and extract the nonce from the admin dashboard.

  • URL: http://localhost:8080/wp-login.php
  • Navigate to: http://localhost:8080/wp-admin/index.php
  • Action: browser_eval("window.virusdie_settings?.nonce") (Replace virusdie_settings with the actual variable found in Step 1).

Step 3: Trigger Information Exposure

Send the AJAX request using the http_request tool.

  • Method: POST
  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body: action=[VULNERABLE_ACTION]&nonce=[NONCE] (e.g., action=virusdie_get_settings&nonce=abc123def)

7. Expected Results

A successful exploit will return a JSON object (200 OK) containing sensitive configuration strings:

{
  "success": true,
  "data": {
    "api_key": "VULNERABLE-API-KEY-12345",
    "unique_id": "SITE-ID-999",
    "email": "admin@example.com"
  }
}

If the response contains the API key while authenticated as a Subscriber, the vulnerability is confirmed.

8. Verification Steps

After the HTTP request, verify the leaked data matches the database:

wp option get virusdie_api_key

Compare the output of this command with the api_key found in the HTTP response.

9. Alternative Approaches

  • REST API Check: If no AJAX actions are found, search for register_rest_route.
    grep -rn "register_rest_route" /var/www/html/wp-content/plugins/virusdie/
    
    Check the permission_callback. If it returns __return_true or checks for is_user_logged_in(), it is vulnerable.
  • Direct Option Leak: Check if the plugin uses wp_localize_script to pass the actual API key to the frontend/admin JS for all users, instead of just the nonce. This is a common form of Information Exposure.
    grep -rn "wp_localize_script" /var/www/html/wp-content/plugins/virusdie/ -A 10
    

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.